GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-24 15:02:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e ST950032 rev.0003 465,76GB Running: lzbn1wfl.exe; Driver: C:\Users\PITER\AppData\Local\Temp\aftciaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[448] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a5da60 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\csrss.exe[448] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a5dc60 8 bytes JMP 000000016fff0110 .text C:\windows\system32\csrss.exe[448] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 8 bytes JMP 000000016fff0148 .text C:\windows\system32\csrss.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a5da60 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\csrss.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a5dc60 8 bytes JMP 000000016fff0110 .text C:\windows\system32\csrss.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 8 bytes JMP 000000016fff0148 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\services.exe[596] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\services.exe[596] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\services.exe[596] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\services.exe[596] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\services.exe[596] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\services.exe[596] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\services.exe[596] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\services.exe[596] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\services.exe[596] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff353440 6 bytes {JMP QWORD [RIP+0x2ecbf0]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!RegisterRawInputDevices 00000000777f6ef0 6 bytes {JMP QWORD [RIP+0x8c49140]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SystemParametersInfoA 00000000777f8184 6 bytes {JMP QWORD [RIP+0x8d27eac]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SetParent 00000000777f8530 6 bytes {JMP QWORD [RIP+0x8c67b00]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SetWindowLongA 00000000777f9bcc 6 bytes {JMP QWORD [RIP+0x89c6464]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!PostMessageA 00000000777fa404 6 bytes {JMP QWORD [RIP+0x8a05c2c]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!EnableWindow 00000000777faaa0 6 bytes {JMP QWORD [RIP+0x8d65590]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!MoveWindow 00000000777faad0 6 bytes {JMP QWORD [RIP+0x8c85560]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!GetAsyncKeyState 00000000777fc720 6 bytes {JMP QWORD [RIP+0x8c23910]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!RegisterHotKey 00000000777fcd50 6 bytes {JMP QWORD [RIP+0x8d032e0]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!PostThreadMessageA 00000000777fd2b0 6 bytes {JMP QWORD [RIP+0x8a42d80]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendMessageA 00000000777fd338 6 bytes {JMP QWORD [RIP+0x8a82cf8]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendNotifyMessageW 00000000777fdc40 6 bytes {JMP QWORD [RIP+0x8b623f0]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SystemParametersInfoW 00000000777ff510 6 bytes {JMP QWORD [RIP+0x8d40b20]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SetWindowsHookExW 00000000777ff874 6 bytes {JMP QWORD [RIP+0x89807bc]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendMessageTimeoutW 00000000777ffac0 6 bytes {JMP QWORD [RIP+0x8ae0570]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000077800b74 6 bytes {JMP QWORD [RIP+0x8a5f4bc]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SetWindowLongW 00000000778033b0 6 bytes {JMP QWORD [RIP+0x89dcc80]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SetWinEventHook + 1 0000000077804d4d 5 bytes {JMP QWORD [RIP+0x899b2e4]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!GetKeyState 0000000077805010 6 bytes {JMP QWORD [RIP+0x8bfb020]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000077805438 6 bytes {JMP QWORD [RIP+0x8b1abf8]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendMessageW 0000000077806b50 6 bytes {JMP QWORD [RIP+0x8a994e0]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!PostMessageW 00000000778076e4 6 bytes {JMP QWORD [RIP+0x8a1894c]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendDlgItemMessageW 000000007780dd90 6 bytes {JMP QWORD [RIP+0x8b922a0]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!GetClipboardData 000000007780e874 6 bytes {JMP QWORD [RIP+0x8cd17bc]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SetClipboardViewer 000000007780f780 6 bytes {JMP QWORD [RIP+0x8c908b0]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000778128e4 6 bytes {JMP QWORD [RIP+0x8b2d74c]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!mouse_event 0000000077813894 6 bytes {JMP QWORD [RIP+0x892c79c]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077818a10 6 bytes {JMP QWORD [RIP+0x8bc7620]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077818be0 6 bytes {JMP QWORD [RIP+0x8aa7450]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077818c20 6 bytes {JMP QWORD [RIP+0x8947410]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendInput 0000000077818cd0 6 bytes {JMP QWORD [RIP+0x8ba7360]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!BlockInput 000000007781ad60 6 bytes {JMP QWORD [RIP+0x8ca52d0]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!ExitWindowsEx 00000000778414e0 6 bytes {JMP QWORD [RIP+0x8d3eb50]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!keybd_event 00000000778645a4 6 bytes {JMP QWORD [RIP+0x88bba8c]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007786cc08 6 bytes {JMP QWORD [RIP+0x8b13428]} .text C:\windows\system32\services.exe[596] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007786df18 6 bytes {JMP QWORD [RIP+0x8a92118]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\services.exe[596] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\services.exe[596] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\lsass.exe[620] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\lsass.exe[620] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\lsm.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\lsm.exe[628] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\lsm.exe[628] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\svchost.exe[784] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[784] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff353440 6 bytes {JMP QWORD [RIP+0x2ecbf0]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\svchost.exe[784] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 208440 .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[864] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\svchost.exe[864] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[864] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff353440 6 bytes {JMP QWORD [RIP+0x2ecbf0]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\svchost.exe[864] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes JMP 1000000 .text C:\windows\system32\svchost.exe[864] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[992] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\svchost.exe[992] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[992] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes JMP 4637b0 .text C:\windows\system32\svchost.exe[992] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes JMP 0 .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\atiesrxx.exe[352] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\System32\svchost.exe[452] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\System32\svchost.exe[452] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 1fd002a .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes JMP 44a420 .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\System32\svchost.exe[452] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[452] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes JMP 7c9af41 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes JMP 13f013f .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes JMP 1a31a34 C:\windows\system32\SETUPAPI.dll .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes JMP 360035 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes JMP 73b5251 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes JMP 94f9661 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes JMP 6282eb1 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes JMP 450056 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes JMP 8c65c60 .text C:\windows\System32\svchost.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes JMP 1020102 .text C:\windows\System32\svchost.exe[800] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes JMP 6eeff10 .text C:\windows\System32\svchost.exe[800] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes JMP e600e6 .text C:\windows\System32\svchost.exe[800] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes JMP 10da880 .text C:\windows\System32\svchost.exe[800] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes JMP 9585079 .text C:\windows\System32\svchost.exe[800] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes JMP 1000 .text C:\windows\System32\svchost.exe[800] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\System32\svchost.exe[800] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\System32\svchost.exe[800] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\System32\svchost.exe[800] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\svchost.exe[1048] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff353440 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\SHELL32.dll!SHFileOperationW 000007fefdc48f1c 5 bytes [FF, 25, 14, 71, EB] .text C:\windows\system32\svchost.exe[1088] C:\windows\system32\SHELL32.dll!SHFileOperation 000007fefde622e4 6 bytes {JMP QWORD [RIP+0xc7dd4c]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\atieclxx.exe[1228] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\WLANExt.exe[1444] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\conhost.exe[1456] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x604648]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x5e3740]} .text C:\windows\System32\spoolsv.exe[1556] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 7250202c .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff353440 6 bytes {JMP QWORD [RIP+0x2ecbf0]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 4ab840 .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes JMP 46a440 .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes JMP fa3042c0 .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes JMP 483780 .text C:\windows\system32\svchost.exe[1696] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes [C0, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes [E1, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes [CC, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes [D2, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes [C9, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes [D5, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes [ED, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes [BA, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes [FF, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes [02, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes [DE, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes [F6, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes [FC, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes [F0, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes [F3, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes [C6, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes [BD, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes [DB, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes [C3, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes [D8, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes [E7, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes [E4, 70] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes [9B, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[1832] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[1896] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\svchost.exe[1896] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 540074 .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70c1000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70c1000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70e2000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70e2000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70cd000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70cd000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70d3000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70d3000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70ca000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70ca000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70fa000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70fa000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d6000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d6000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70ee000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70ee000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70eb000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70eb000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70d0000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70d0000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70bb000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70bb000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 7100000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 7100000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 7103000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 7103000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70df000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70df000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f7000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f7000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70fd000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70fd000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70f1000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70f1000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70f4000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70f4000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c7000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c7000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70be000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70be000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70dc000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70dc000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70c4000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70c4000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d9000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d9000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e8000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e8000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70e5000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70e5000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 715d000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 7151000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 710c000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 714b000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 7145000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 7163000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 7112000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 7112000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7157000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 712a000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 7121000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 7121000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7109000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 711e000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 711e000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 715a000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 7154000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 7160000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 714e000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 710f000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7166000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7139000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 713f000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7148000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7169000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 711b000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 711b000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7136000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 7133000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7127000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 712d000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 712d000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 7130000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 7130000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 7115000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7106000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 716c000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 716f000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 7142000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 713c000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7118000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7118000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 7124000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 7124000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 717b000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 7172000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7178000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 7175000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\AsusService.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes JMP c88b4800 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 33c03345 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes JMP 4827894c .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x604648]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x5e3740]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2020] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe[1044] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\System32\svchost.exe[1256] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\System32\svchost.exe[1256] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 37 .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[1848] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 6c006d .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\svchost.exe[1848] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[2236] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes JMP 0 .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes JMP 365437a5 .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\svchost.exe[2236] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes [DC, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes [C7, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes [CD, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes [C4, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes [E8, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes [FA, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes [D9, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes [F1, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes [F7, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes {JMP 0x72} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes [EE, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes [C1, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes [D6, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes [BE, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes [D3, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes [E2, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes [DF, 70] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes [9B, 71] .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 0000000076ea3b52 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[2312] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3248] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 1b9 .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\svchost.exe[3816] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3436] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3436] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3436] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3436] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3436] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3436] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3436] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 3d33b70 .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL 0 .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes JMP 0 .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes JMP 1d024c01 .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes JMP 0 .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\SearchIndexer.exe[2552] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x604648]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x5e3740]} .text C:\windows\system32\wbem\wmiprvse.exe[4016] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL 9bc .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes JMP 0 .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\taskhost.exe[1248] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes JMP 0 .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\taskeng.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes JMP 0 .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\taskeng.exe[832] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 3684f0 .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP f2853649 .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\Dwm.exe[2036] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP c88b48ca .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes JMP 35adbe8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes JMP cccccccc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x368b90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3760] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 1460a3 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes [58, 52, 06] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4724] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotKeyMon.exe[4808] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075849650 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\SHELL32.dll!SHFileOperation 0000000075a4bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\SHE\SuperHybridEngine.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075849650 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\SHELL32.dll!SHFileOperation 0000000075a4bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\CapsHook\CapsHook.exe[5024] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70b7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70b7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70d8000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70d8000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70c3000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70c3000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70c9000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70c9000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70c0000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70c0000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70f0000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70f0000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70cc000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70cc000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70e4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70e4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70e1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70e1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70c6000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70c6000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70b1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70b1000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 70f6000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 70f6000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 70f9000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 70f9000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70d5000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70d5000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70ed000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70ed000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70f3000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70f3000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70e7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70e7000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 00000000cc4ed22d .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70bd000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70bd000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70b4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70b4000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70d2000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70d2000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70ba000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70ba000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70cf000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70cf000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70de000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70de000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70db000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70db000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7183000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717a000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 7186000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7180000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 717d000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 7153000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 7147000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 7102000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 7141000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 713b000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 7159000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 7108000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 7108000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 714d000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 7120000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 7117000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 7117000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 70ff000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 7114000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 7114000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 7150000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 714a000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 7156000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 7144000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 7105000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 715c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 712f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 7135000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 713e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 715f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 7111000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 7111000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 712c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 7129000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 711d000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 7123000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 7123000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 7126000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 7126000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 710b000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 70fc000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 7162000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 7165000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 7138000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 7132000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 710e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 710e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 711a000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 711a000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 7189000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 7171000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 718c000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 7168000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 716e000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 718f000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 716b000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075849650 6 bytes JMP 7174000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\SHELL32.dll!SHFileOperation 0000000075a4bb21 6 bytes JMP 7177000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\HotkeyService\HotkeyService.exe[5040] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70be000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\USBChargeSetting\iSeriesCharge.exe[720] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70da000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70da000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 709b000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 709b000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 709e000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 709e000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 713d000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 7131000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 70ec000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 712b000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 7125000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 7143000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7137000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 710a000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 7101000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076b42d69 1 byte [71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 70e9000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 713a000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 7134000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 7140000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 712e000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 70ef000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7146000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7119000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 711f000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7128000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7149000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7116000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 7113000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7107000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 710d000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 710d000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 7110000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 7110000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 70f5000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 70e6000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 714c000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 714f000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 7122000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 711c000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 7104000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 7104000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 715b000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 7152000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7158000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 7155000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075849650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\SHELL32.dll!SHFileOperation 0000000075a4bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075849650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\SHELL32.dll!SHFileOperation 0000000075a4bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075849650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\SHELL32.dll!SHFileOperation 0000000075a4bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4444] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\svchost.exe[5448] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\svchost.exe[5448] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes JMP 0 .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 53004d .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0xb7674]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xf6d10]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\system32\rundll32.exe[5260] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 0 .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\Explorer.EXE[5224] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL ffffffff .text C:\windows\Explorer.EXE[5224] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes JMP 0 .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes JMP f32b1448 .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes JMP 0 .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes JMP 0 .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x4a4648]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x483740]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!RegisterRawInputDevices 00000000777f6ef0 6 bytes {JMP QWORD [RIP+0x8c49140]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SystemParametersInfoA 00000000777f8184 6 bytes {JMP QWORD [RIP+0x8d27eac]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SetParent 00000000777f8530 6 bytes {JMP QWORD [RIP+0x8c67b00]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SetWindowLongA 00000000777f9bcc 6 bytes {JMP QWORD [RIP+0x89c6464]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!PostMessageA 00000000777fa404 6 bytes {JMP QWORD [RIP+0x8a05c2c]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!EnableWindow 00000000777faaa0 6 bytes {JMP QWORD [RIP+0x8d65590]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!MoveWindow 00000000777faad0 6 bytes {JMP QWORD [RIP+0x8c85560]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!GetAsyncKeyState 00000000777fc720 6 bytes {JMP QWORD [RIP+0x8c23910]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!RegisterHotKey 00000000777fcd50 6 bytes {JMP QWORD [RIP+0x8d032e0]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!PostThreadMessageA 00000000777fd2b0 6 bytes {JMP QWORD [RIP+0x8a42d80]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendMessageA 00000000777fd338 6 bytes {JMP QWORD [RIP+0x8a82cf8]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendNotifyMessageW 00000000777fdc40 6 bytes {JMP QWORD [RIP+0x8b623f0]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SystemParametersInfoW 00000000777ff510 6 bytes {JMP QWORD [RIP+0x8d40b20]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SetWindowsHookExW 00000000777ff874 6 bytes {JMP QWORD [RIP+0x89807bc]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendMessageTimeoutW 00000000777ffac0 6 bytes {JMP QWORD [RIP+0x8ae0570]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000077800b74 6 bytes {JMP QWORD [RIP+0x8a5f4bc]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SetWindowLongW 00000000778033b0 6 bytes {JMP QWORD [RIP+0x89dcc80]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SetWinEventHook + 1 0000000077804d4d 5 bytes {JMP QWORD [RIP+0x899b2e4]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!GetKeyState 0000000077805010 6 bytes {JMP QWORD [RIP+0x8bfb020]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000077805438 6 bytes {JMP QWORD [RIP+0x8b1abf8]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendMessageW 0000000077806b50 6 bytes {JMP QWORD [RIP+0x8a994e0]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!PostMessageW 00000000778076e4 6 bytes {JMP QWORD [RIP+0x8a1894c]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendDlgItemMessageW 000000007780dd90 6 bytes {JMP QWORD [RIP+0x8b922a0]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!GetClipboardData 000000007780e874 6 bytes {JMP QWORD [RIP+0x8cd17bc]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SetClipboardViewer 000000007780f780 6 bytes {JMP QWORD [RIP+0x8c908b0]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000778128e4 6 bytes {JMP QWORD [RIP+0x8b2d74c]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!mouse_event 0000000077813894 6 bytes {JMP QWORD [RIP+0x892c79c]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077818a10 6 bytes {JMP QWORD [RIP+0x8bc7620]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077818be0 6 bytes {JMP QWORD [RIP+0x8aa7450]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077818c20 6 bytes {JMP QWORD [RIP+0x8947410]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendInput 0000000077818cd0 6 bytes {JMP QWORD [RIP+0x8ba7360]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!BlockInput 000000007781ad60 6 bytes {JMP QWORD [RIP+0x8ca52d0]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!ExitWindowsEx 00000000778414e0 6 bytes {JMP QWORD [RIP+0x8d3eb50]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!keybd_event 00000000778645a4 6 bytes {JMP QWORD [RIP+0x88bba8c]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007786cc08 6 bytes {JMP QWORD [RIP+0x8b13428]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007786df18 6 bytes {JMP QWORD [RIP+0x8a92118]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\SHELL32.dll!SHFileOperationW 000007fefdc48f1c 5 bytes [FF, 25, 14, 71, D7] .text C:\windows\Explorer.EXE[5224] C:\windows\system32\SHELL32.dll!SHFileOperation 000007fefde622e4 6 bytes {JMP QWORD [RIP+0xb3dd4c]} .text C:\windows\Explorer.EXE[5224] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes JMP 61004e .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes {JMP QWORD [RIP+0x42db70]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes JMP 300030 .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes JMP 0 .text C:\Program Files\Asus\Eee Docking\Eee Docking.exe[3016] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a33250 6 bytes {JMP QWORD [RIP+0x860cde0]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077a5daa0 6 bytes {JMP QWORD [RIP+0x85c2590]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a5db70 6 bytes {JMP QWORD [RIP+0x8e024c0]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a5dc70 6 bytes {JMP QWORD [RIP+0x8ca23c0]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a5dce0 6 bytes {JMP QWORD [RIP+0x8d82350]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a5dd20 6 bytes {JMP QWORD [RIP+0x8d42310]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a5ddc0 6 bytes {JMP QWORD [RIP+0x8da2270]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a5de30 6 bytes {JMP QWORD [RIP+0x8ba2200]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a5de50 6 bytes {JMP QWORD [RIP+0x8d221e0]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a5de90 6 bytes {JMP QWORD [RIP+0x8c221a0]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a5dee0 6 bytes {JMP QWORD [RIP+0x8c42150]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a5df00 6 bytes {JMP QWORD [RIP+0x8d62130]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a5e0f0 6 bytes {JMP QWORD [RIP+0x8e41f40]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a5e100 6 bytes {JMP QWORD [RIP+0x8b61f30]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a5e200 6 bytes {JMP QWORD [RIP+0x8b41e30]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a5e2d0 6 bytes {JMP QWORD [RIP+0x8cc1d60]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a5e310 6 bytes {JMP QWORD [RIP+0x8bc1d20]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a5e380 6 bytes {JMP QWORD [RIP+0x8b81cb0]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a5e3b0 6 bytes {JMP QWORD [RIP+0x8c01c80]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a5e410 6 bytes {JMP QWORD [RIP+0x8be1c20]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5e420 6 bytes {JMP QWORD [RIP+0x8dc1c10]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a5e430 6 bytes {JMP QWORD [RIP+0x8e21c00]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a5e7a0 6 bytes {JMP QWORD [RIP+0x8ce1890]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a5e830 6 bytes {JMP QWORD [RIP+0x8de1800]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a5f0a0 6 bytes {JMP QWORD [RIP+0x8d00f90]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a5f120 6 bytes {JMP QWORD [RIP+0x8c60f10]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a5f1a0 6 bytes {JMP QWORD [RIP+0x8c80e90]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\kernel32.dll!CopyFileExW 00000000779018f0 6 bytes {JMP QWORD [RIP+0x87fe740]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007790db10 6 bytes {JMP QWORD [RIP+0x8752520]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007797f4e0 6 bytes {JMP QWORD [RIP+0x8720b50]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007797f510 6 bytes {JMP QWORD [RIP+0x8760b20]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007797f6e0 6 bytes {JMP QWORD [RIP+0x8700950]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000779854b0 6 bytes {JMP QWORD [RIP+0x873ab80]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd8eadb2 3 bytes CALL b55 .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8f6090 5 bytes [FF, 25, A0, 9F, 0A] .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!DeleteDC 000007feff1f22cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!BitBlt 000007feff1f24c0 6 bytes JMP 0 .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!MaskBlt 000007feff1f5bf0 6 bytes {JMP QWORD [RIP+0x44a440]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!CreateDCW 000007feff1f8398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!CreateDCA 000007feff1f89bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!GetPixel 000007feff1f9320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!StretchBlt 000007feff1fb9e8 6 bytes {JMP QWORD [RIP+0x484648]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\GDI32.dll!PlgBlt 000007feff1fc8f0 6 bytes {JMP QWORD [RIP+0x463740]} .text C:\windows\system32\taskmgr.exe[5364] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefef274a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077c0fa20 3 bytes JMP 71af000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c0fa24 2 bytes JMP 71af000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c0fb68 3 bytes JMP 70c1000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c0fb6c 2 bytes JMP 70c1000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c0fcf0 3 bytes JMP 70e2000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c0fcf4 2 bytes JMP 70e2000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c0fda4 3 bytes JMP 70cd000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c0fda8 2 bytes JMP 70cd000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c0fe08 3 bytes JMP 70d3000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c0fe0c 2 bytes JMP 70d3000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c0ff00 3 bytes JMP 70ca000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c0ff04 2 bytes JMP 70ca000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c0ffb4 3 bytes JMP 70fa000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c0ffb8 2 bytes JMP 70fa000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c0ffe4 3 bytes JMP 70d6000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c0ffe8 2 bytes JMP 70d6000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c10044 3 bytes JMP 70ee000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c10048 2 bytes JMP 70ee000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c100c4 3 bytes JMP 70eb000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c100c8 2 bytes JMP 70eb000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c100f4 3 bytes JMP 70d0000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c100f8 2 bytes JMP 70d0000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c103f8 3 bytes JMP 70bb000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c103fc 2 bytes JMP 70bb000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c10410 3 bytes JMP 7100000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c10414 2 bytes JMP 7100000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c10590 3 bytes JMP 7103000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c10594 2 bytes JMP 7103000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c106d4 3 bytes JMP 70df000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c106d8 2 bytes JMP 70df000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c10734 3 bytes JMP 70f7000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c10738 2 bytes JMP 70f7000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c107dc 3 bytes JMP 70fd000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c107e0 2 bytes JMP 70fd000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c10824 3 bytes JMP 70f1000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c10828 2 bytes JMP 70f1000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c108b4 3 bytes JMP 70f4000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c108b8 2 bytes JMP 70f4000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c108cc 3 bytes JMP 70c7000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c108d0 2 bytes JMP 70c7000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c108e4 3 bytes JMP 70be000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c108e8 2 bytes JMP 70be000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c10e34 3 bytes JMP 70dc000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c10e38 2 bytes JMP 70dc000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c10f18 3 bytes JMP 70c4000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c10f1c 2 bytes JMP 70c4000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c11c24 3 bytes JMP 70d9000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c11c28 2 bytes JMP 70d9000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c11cf4 3 bytes JMP 70e8000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c11cf8 2 bytes JMP 70e8000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c11dcc 3 bytes JMP 70e5000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c11dd0 2 bytes JMP 70e5000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c33b8c 6 bytes JMP 71a8000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076e93b93 3 bytes JMP 719c000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076e93b97 2 bytes JMP 719c000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076e99a8c 6 bytes JMP 7187000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000076ea3b52 6 bytes JMP 717e000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076eaccd1 6 bytes JMP 718a000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076efdc4e 6 bytes JMP 7184000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076efdcf1 6 bytes JMP 7181000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000777af784 6 bytes JMP 719f000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000777b2ca4 4 bytes CALL 71ac0000 .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076b38332 6 bytes JMP 715d000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b38bff 6 bytes JMP 7151000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b390d3 6 bytes JMP 710c000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b39679 6 bytes JMP 714b000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b397d2 6 bytes JMP 7145000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076b3ee09 6 bytes JMP 7163000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!RegisterHotKey 0000000076b3efc9 3 bytes JMP 7112000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b3efcd 2 bytes JMP 7112000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b412a5 6 bytes JMP 7157000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076b4291f 6 bytes JMP 712a000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetParent 0000000076b42d64 3 bytes JMP 7121000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetParent + 4 0000000076b42d68 2 bytes JMP 7121000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!EnableWindow 0000000076b42da4 6 bytes JMP 7109000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!MoveWindow 0000000076b43698 3 bytes JMP 711e000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b4369c 2 bytes JMP 711e000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b43baa 6 bytes JMP 715a000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b43c61 6 bytes JMP 7154000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000076b46110 6 bytes JMP 7160000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b4612e 6 bytes JMP 714e000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b46c30 6 bytes JMP 710f000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b47603 6 bytes JMP 7166000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b47668 6 bytes JMP 7139000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b476e0 6 bytes JMP 713f000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b4781f 6 bytes JMP 7148000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b4835c 6 bytes JMP 7169000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b4c4b6 3 bytes JMP 711b000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b4c4ba 2 bytes JMP 711b000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b5c112 6 bytes JMP 7136000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b5d0f5 6 bytes JMP 7133000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b5eb96 6 bytes JMP 7127000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076b5ec68 3 bytes JMP 712d000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b5ec6c 2 bytes JMP 712d000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendInput 0000000076b5ff4a 3 bytes JMP 7130000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b5ff4e 2 bytes JMP 7130000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!GetClipboardData 0000000076b79f1d 6 bytes JMP 7115000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b81497 6 bytes JMP 7106000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b9027b 6 bytes JMP 716c000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b902bf 6 bytes JMP 716f000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b96cfc 6 bytes JMP 7142000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b96d5d 6 bytes JMP 713c000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!BlockInput 0000000076b97dd7 3 bytes JMP 7118000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076b97ddb 2 bytes JMP 7118000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b988eb 3 bytes JMP 7124000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b988ef 2 bytes JMP 7124000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000764558b3 6 bytes JMP 718d000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!BitBlt 0000000076455ea5 6 bytes JMP 717b000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000076457ba4 6 bytes JMP 7196000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!GetPixel 000000007645b986 6 bytes JMP 7190000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007645ba5f 6 bytes JMP 7172000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007645cc01 6 bytes JMP 7178000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007645ea03 6 bytes JMP 7193000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076484969 6 bytes JMP 7175000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ca9d0b 6 bytes JMP 7199000a .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 76eab20b C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 76eab336 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 76f28f39 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 76e84885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 76f28832 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 76f28a08 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 76f28728 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 76f28af2 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 76e9fc98 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 76ea68df C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 76f28ff1 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 76f28b52 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 76f286ec C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 76e9fd31 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 76eab2cc C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 76f28eb4 C:\windows\syswow64\kernel32.dll .text D:\INSTALKI\BEZPIECZENSTWO\Nowy folder (3)\lzbn1wfl.exe[6072] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 76f28681 C:\windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc11a88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd6c960 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd6c960@9ccad90c3014 0xC6 0x9C 0x0E 0xA1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd6c960@0021098c0f0a 0x7A 0x47 0x2C 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd6c960@6c23b9204ca1 0x62 0x16 0xD1 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dd6c960@64b853569c68 0xC9 0xA7 0x32 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc11a88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd6c960 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd6c960@9ccad90c3014 0xC6 0x9C 0x0E 0xA1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd6c960@0021098c0f0a 0x7A 0x47 0x2C 0x72 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd6c960@6c23b9204ca1 0x62 0x16 0xD1 0x03 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dd6c960@64b853569c68 0xC9 0xA7 0x32 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----