GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-04-07 22:55:59
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003 298,09GB
Running: g71lt1yd.exe; Driver: C:\Users\AGNIES~1\AppData\Local\Temp\fxldapow.sys
---- Kernel code sections - GMER 2.1 ----
.text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001b3c00 7 bytes [00, 96, F3, FF, 01, A2, F0]
.text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960001b3c08 3 bytes [C0, 06, 02]
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077466ef0 6 bytes {JMP QWORD [RIP+0x8f39140]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077468184 6 bytes {JMP QWORD [RIP+0x9017eac]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SetParent 0000000077468530 6 bytes {JMP QWORD [RIP+0x8f57b00]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!PostMessageA 000000007746a404 6 bytes {JMP QWORD [RIP+0x8cf5c2c]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!EnableWindow 000000007746aaa0 6 bytes {JMP QWORD [RIP+0x9055590]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!MoveWindow 000000007746aad0 6 bytes {JMP QWORD [RIP+0x8f75560]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007746c720 6 bytes {JMP QWORD [RIP+0x8f13910]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007746cd50 6 bytes {JMP QWORD [RIP+0x8ff32e0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007746d2b0 6 bytes {JMP QWORD [RIP+0x8d32d80]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendMessageA 000000007746d338 6 bytes {JMP QWORD [RIP+0x8d72cf8]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007746dc40 6 bytes {JMP QWORD [RIP+0x8e523f0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007746f510 6 bytes {JMP QWORD [RIP+0x9030b20]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007746f874 6 bytes {JMP QWORD [RIP+0x8cb07bc]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007746fac0 6 bytes {JMP QWORD [RIP+0x8dd0570]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077470b74 6 bytes {JMP QWORD [RIP+0x8d4f4bc]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077474d4d 5 bytes {JMP QWORD [RIP+0x8ccb2e4]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!GetKeyState 0000000077475010 6 bytes {JMP QWORD [RIP+0x8eeb020]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077475438 6 bytes {JMP QWORD [RIP+0x8e0abf8]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendMessageW 0000000077476b50 6 bytes {JMP QWORD [RIP+0x8d894e0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!PostMessageW 00000000774776e4 6 bytes {JMP QWORD [RIP+0x8d0894c]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007747dd90 6 bytes {JMP QWORD [RIP+0x8e822a0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!GetClipboardData 000000007747e874 6 bytes {JMP QWORD [RIP+0x8fc17bc]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007747f780 6 bytes {JMP QWORD [RIP+0x8f808b0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774828e4 6 bytes {JMP QWORD [RIP+0x8e1d74c]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!mouse_event 0000000077483894 6 bytes {JMP QWORD [RIP+0x8c5c79c]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077488a10 6 bytes {JMP QWORD [RIP+0x8eb7620]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077488be0 6 bytes {JMP QWORD [RIP+0x8d97450]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077488c20 4 bytes [FF, 25, 10, 74]
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 5 0000000077488c25 1 byte [08]
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendInput 0000000077488cd0 6 bytes {JMP QWORD [RIP+0x8e97360]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!BlockInput 000000007748ad60 6 bytes {JMP QWORD [RIP+0x8f952d0]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774b14e0 6 bytes {JMP QWORD [RIP+0x902eb50]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!keybd_event 00000000774d45a4 6 bytes {JMP QWORD [RIP+0x8beba8c]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000774dcc08 6 bytes {JMP QWORD [RIP+0x8e03428]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000774ddf18 6 bytes {JMP QWORD [RIP+0x8d82118]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7c6bd0 6 bytes JMP 101
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077466ef0 6 bytes {JMP QWORD [RIP+0x8f39140]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077468184 6 bytes {JMP QWORD [RIP+0x9017eac]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetParent 0000000077468530 6 bytes {JMP QWORD [RIP+0x8f57b00]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostMessageA 000000007746a404 6 bytes {JMP QWORD [RIP+0x8cf5c2c]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!EnableWindow 000000007746aaa0 6 bytes {JMP QWORD [RIP+0x9055590]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!MoveWindow 000000007746aad0 6 bytes {JMP QWORD [RIP+0x8f75560]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007746c720 6 bytes {JMP QWORD [RIP+0x8f13910]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007746cd50 6 bytes {JMP QWORD [RIP+0x8ff32e0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007746d2b0 6 bytes {JMP QWORD [RIP+0x8d32d80]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageA 000000007746d338 6 bytes {JMP QWORD [RIP+0x8d72cf8]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007746dc40 6 bytes {JMP QWORD [RIP+0x8e523f0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007746f510 6 bytes {JMP QWORD [RIP+0x9030b20]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007746f874 6 bytes {JMP QWORD [RIP+0x8cb07bc]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007746fac0 6 bytes {JMP QWORD [RIP+0x8dd0570]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077470b74 6 bytes {JMP QWORD [RIP+0x8d4f4bc]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077474d4d 5 bytes {JMP QWORD [RIP+0x8ccb2e4]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetKeyState 0000000077475010 6 bytes {JMP QWORD [RIP+0x8eeb020]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077475438 6 bytes {JMP QWORD [RIP+0x8e0abf8]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageW 0000000077476b50 6 bytes {JMP QWORD [RIP+0x8d894e0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostMessageW 00000000774776e4 6 bytes {JMP QWORD [RIP+0x8d0894c]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007747dd90 6 bytes {JMP QWORD [RIP+0x8e822a0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetClipboardData 000000007747e874 6 bytes {JMP QWORD [RIP+0x8fc17bc]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007747f780 6 bytes {JMP QWORD [RIP+0x8f808b0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774828e4 6 bytes {JMP QWORD [RIP+0x8e1d74c]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!mouse_event 0000000077483894 6 bytes {JMP QWORD [RIP+0x8c5c79c]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077488a10 6 bytes {JMP QWORD [RIP+0x8eb7620]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077488be0 6 bytes {JMP QWORD [RIP+0x8d97450]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077488c20 4 bytes [FF, 25, 10, 74]
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 5 0000000077488c25 1 byte [08]
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendInput 0000000077488cd0 6 bytes {JMP QWORD [RIP+0x8e97360]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!BlockInput 000000007748ad60 6 bytes {JMP QWORD [RIP+0x8f952d0]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774b14e0 6 bytes {JMP QWORD [RIP+0x902eb50]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!keybd_event 00000000774d45a4 6 bytes {JMP QWORD [RIP+0x8beba8c]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000774dcc08 6 bytes {JMP QWORD [RIP+0x8e03428]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000774ddf18 6 bytes {JMP QWORD [RIP+0x8d82118]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes JMP 0
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes JMP ab8b
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\services.exe[680] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes JMP 20000
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes JMP 30a448
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes JMP 220025
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes JMP fb00fb60
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes JMP 50
.text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 2f0538
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\lsm.exe[696] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes JMP db
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7c6bd0 6 bytes {JMP QWORD [RIP+0x109460]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 300030
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes JMP b
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7c6bd0 6 bytes {JMP QWORD [RIP+0x109460]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes JMP 800000ac
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]}
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes JMP 894ec18
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes JMP e255e6ae
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes JMP 490054
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes JMP 8f3f5e1
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes JMP 1e6580
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes JMP 843f3b1
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes JMP e6abe6ab
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes JMP bb980
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes JMP 902d158
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes JMP 8dbaa99
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes JMP 8fc0e38
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes JMP e5b4e5b4
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes JMP 13a280
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes JMP 5c0053
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes JMP 614e80
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes JMP 8f14e99
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes JMP e6b0
.text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes JMP e6c5
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes JMP 58d580
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes JMP 8abd418
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes JMP e253e43a
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes JMP 287ba0
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7c6bd0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes JMP 1
.text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7c6bd0 6 bytes {JMP QWORD [RIP+0x109460]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes JMP fd752bf8
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes JMP 7f2e
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x67dd64]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x69db70]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x6ba450]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x637c98]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x617668]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x656cec]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x6f4648]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x6cac20]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes JMP 7112000a
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes JMP 7112000a
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe[1824] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Program Files\Bonjour\mDNSResponder.exe[1896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 460058
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[1932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2052] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes JMP 7112000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes JMP 7112000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes JMP 71a8000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes JMP 7166000a
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 9
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xe45e90]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2852] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2860] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes JMP 4a5bdf40
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\SearchIndexer.exe[3052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\system32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 9
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x67dd64]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x69db70]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x6ba450]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x637c98]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x617668]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x656cec]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x6f4648]}
.text C:\Windows\servicing\TrustedInstaller.exe[3156] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x6cac20]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 9
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x67dd64]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x69db70]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x6ba450]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes JMP c1d8f3f0
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x617668]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x656cec]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x6f4648]}
.text C:\Windows\system32\taskhost.exe[3228] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x6cac20]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x67dd64]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x69db70]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x6ba450]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x637c98]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x617668]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x656cec]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x6f4648]}
.text C:\Windows\system32\taskeng.exe[3284] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x6cac20]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x67dd64]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x69db70]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes JMP 0
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x637c98]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x617668]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x656cec]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x6f4648]}
.text C:\Windows\system32\Dwm.exe[3292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x6cac20]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes JMP 904e630
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Windows\Explorer.EXE[3436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe[3476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [CC, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [D2, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [C9, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [D5, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [CF, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [BD, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [C6, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [C0, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [DB, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [C3, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [D8, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 7103000a
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 7103000a
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [D5, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [D8, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [DB, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe[3520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x67dd64]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x69db70]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x6ba450]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x637c98]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x617668]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x656cec]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x6f4648]}
.text C:\Windows\SysWOW64\ACEngSvr.exe[3972] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x6cac20]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Windows\System32\igfxpers.exe[4068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Windows\System32\hkcmd.exe[3364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\Elantech\ETDCtrl.exe[3560] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes CALL 5b000038
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes JMP 0
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes JMP 0
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes JMP 0
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x287c98]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[396] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[3172] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x140dd64]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x142db70]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes {JMP QWORD [RIP+0x13c7c98]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x13a7668]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x13e6cec]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3168] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x145ac20]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3152] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 7106000a
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 7106000a
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [D8, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [0B, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [DB, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes JMP 7154000a
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [1A, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7132001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [29, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7111001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [26, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [23, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x713e001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x713b001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x712f001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [35, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [38, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x710e001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [20, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [2C, 71]
.text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[3384] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4476] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes [02, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes [ED, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes [F3, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes [EA, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes [F6, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes [0E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes [F0, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes [DE, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes [11, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes [FF, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes [E7, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes [E1, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes [FC, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes [E4, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes [F9, 70]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes [08, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes [05, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes {JMP QWORD [RIP+0x711a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes [20, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes [2F, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes {JMP QWORD [RIP+0x7117001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes [2C, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes {JMP QWORD [RIP+0x711d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes [29, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes [3B, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes [3E, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes {JMP QWORD [RIP+0x7114001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes {JMP QWORD [RIP+0x7177001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes [26, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes [32, 71]
.text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4596] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes JMP 6f004d
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes JMP f888e7a6
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Windows\System32\svchost.exe[4416] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe06a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776a3ae0 6 bytes {JMP QWORD [RIP+0x899c550]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776d1400 6 bytes {JMP QWORD [RIP+0x894ec30]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776d15d0 6 bytes {JMP QWORD [RIP+0x8ecea60]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776d1640 6 bytes {JMP QWORD [RIP+0x8fae9f0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776d1680 6 bytes {JMP QWORD [RIP+0x8f6e9b0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776d1720 6 bytes {JMP QWORD [RIP+0x8fce910]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776d17b0 6 bytes {JMP QWORD [RIP+0x8f4e880]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776d17f0 6 bytes {JMP QWORD [RIP+0x8e4e840]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776d1840 6 bytes {JMP QWORD [RIP+0x8e6e7f0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776d1860 6 bytes {JMP QWORD [RIP+0x8f8e7d0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776d1a50 6 bytes {JMP QWORD [RIP+0x904e5e0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776d1b60 6 bytes {JMP QWORD [RIP+0x8e2e4d0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776d1c30 6 bytes {JMP QWORD [RIP+0x8eee400]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776d1d80 6 bytes {JMP QWORD [RIP+0x8fee2b0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776d1d90 6 bytes {JMP QWORD [RIP+0x902e2a0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776d2100 6 bytes {JMP QWORD [RIP+0x8f0df30]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776d2190 6 bytes {JMP QWORD [RIP+0x900dea0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776d2a00 6 bytes {JMP QWORD [RIP+0x8f2d630]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776d2a80 6 bytes {JMP QWORD [RIP+0x8e8d5b0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776d2b00 6 bytes {JMP QWORD [RIP+0x8ead530]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007756a420 6 bytes {JMP QWORD [RIP+0x8b35c10]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077581b50 6 bytes {JMP QWORD [RIP+0x8ade4e0]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000775f8810 6 bytes {JMP QWORD [RIP+0x8a87820]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd939aa5 3 bytes [65, 65, 06]
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd945290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdb222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdb224c0 6 bytes {JMP QWORD [RIP+0x2edb70]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdb25be0 6 bytes {JMP QWORD [RIP+0x30a450]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdb28398 6 bytes JMP 0
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdb289c8 6 bytes {JMP QWORD [RIP+0x267668]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdb29344 6 bytes {JMP QWORD [RIP+0x2a6cec]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdb2b9e8 6 bytes {JMP QWORD [RIP+0x344648]}
.text C:\Program Files (x86)\ASUS\ASUS WebStorage\EeeStorageUploader.exe[4552] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdb35410 6 bytes {JMP QWORD [RIP+0x31ac20]}
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007787f9c0 3 bytes JMP 71af000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007787f9c4 2 bytes JMP 71af000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007787fc90 3 bytes JMP 7103000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007787fc94 2 bytes JMP 7103000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007787fd44 3 bytes JMP 70ee000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007787fd48 2 bytes JMP 70ee000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007787fda8 3 bytes JMP 70f4000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007787fdac 2 bytes JMP 70f4000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007787fea0 3 bytes JMP 70eb000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007787fea4 2 bytes JMP 70eb000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007787ff84 3 bytes JMP 70f7000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007787ff88 2 bytes JMP 70f7000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007787ffe4 3 bytes JMP 710f000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007787ffe8 2 bytes JMP 710f000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077880064 3 bytes JMP 710c000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077880068 2 bytes JMP 710c000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077880094 3 bytes JMP 70f1000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077880098 2 bytes JMP 70f1000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077880398 3 bytes JMP 70df000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007788039c 2 bytes JMP 70df000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077880530 3 bytes JMP 7112000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077880534 2 bytes JMP 7112000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077880674 3 bytes JMP 7100000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077880678 2 bytes JMP 7100000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007788086c 3 bytes JMP 70e8000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077880870 2 bytes JMP 70e8000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077880884 3 bytes JMP 70e2000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077880888 2 bytes JMP 70e2000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077880dd4 3 bytes JMP 70fd000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077880dd8 2 bytes JMP 70fd000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077880eb8 3 bytes JMP 70e5000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077880ebc 2 bytes JMP 70e5000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077881bc4 3 bytes JMP 70fa000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077881bc8 2 bytes JMP 70fa000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077881c94 3 bytes JMP 7109000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077881c98 2 bytes JMP 7109000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077881d6c 3 bytes JMP 7106000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077881d70 2 bytes JMP 7106000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778a1217 6 bytes JMP 71a8000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 6 bytes JMP 719c000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 6 bytes JMP 7199000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 6 bytes JMP 7193000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007554f776 6 bytes JMP 719f000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075552c91 4 bytes CALL 71ac0000
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076988bff 6 bytes JMP 7160000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769890d3 6 bytes JMP 711b000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076989679 6 bytes JMP 715a000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769897d2 6 bytes JMP 7154000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007698ee09 6 bytes JMP 716c000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007698efc9 3 bytes JMP 7121000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007698efcd 2 bytes JMP 7121000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769912a5 6 bytes JMP 7166000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007699291f 6 bytes JMP 7139000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SetParent 0000000076992d64 3 bytes JMP 7130000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076992d68 2 bytes JMP 7130000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076992da4 6 bytes JMP 7118000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076993698 3 bytes JMP 712d000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007699369c 2 bytes JMP 712d000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076993baa 6 bytes JMP 7169000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076993c61 6 bytes JMP 7163000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007699612e 6 bytes JMP 715d000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076996c30 6 bytes JMP 711e000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076997603 6 bytes JMP 716f000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076997668 6 bytes JMP 7148000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769976e0 6 bytes JMP 714e000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007699781f 6 bytes JMP 7157000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007699835c 6 bytes JMP 7172000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007699c4b6 3 bytes JMP 712a000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007699c4ba 2 bytes JMP 712a000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000769ac112 6 bytes JMP 7145000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000769ad0f5 6 bytes JMP 7142000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000769aeb96 6 bytes JMP 7136000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000769aec68 3 bytes JMP 713c000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000769aec6c 2 bytes JMP 713c000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendInput 00000000769aff4a 3 bytes JMP 713f000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000769aff4e 2 bytes JMP 713f000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000769c9f1d 6 bytes JMP 7124000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769d1497 6 bytes JMP 7115000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769e027b 6 bytes JMP 7175000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769e02bf 6 bytes JMP 7178000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769e6cfc 6 bytes JMP 7151000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769e6d5d 6 bytes JMP 714b000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769e7dd7 3 bytes JMP 7127000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769e7ddb 2 bytes JMP 7127000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769e88eb 3 bytes JMP 7133000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769e88ef 2 bytes JMP 7133000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000773b58b3 6 bytes JMP 7187000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000773b5ea6 6 bytes JMP 7184000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000773b7bcc 6 bytes JMP 7190000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000773bb895 6 bytes JMP 717b000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000773bc332 6 bytes JMP 7181000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000773bcbfb 6 bytes JMP 718a000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000773be743 6 bytes JMP 718d000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000773e4646 6 bytes JMP 717e000a
.text C:\Users\agnieszka\Desktop\g71lt1yd.exe[2588] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076812538 6 bytes JMP 7196000a
---- User IAT/EAT - GMER 2.1 ----
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef8f3741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8f35f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8f35674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8f35e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8f37f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8f36a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8f36ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8f37b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8f37ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef8f378b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8f34fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8f35d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8f37584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [13febde30] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [13febf140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [13febf320] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [13febdfd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [13febdf10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [13febe080] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [13febe140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [13febe1f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [13febf640] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [13febddc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [13febeef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [13febf6d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [13febf590] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [13febde90] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [13febeb70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [13febfa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [13febfaf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [13febfa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [13febfd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [13febfaf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [13febfd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [13febf9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5324] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [13febfa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe
---- Threads - GMER 2.1 ----
Thread C:\Windows\system32\lsass.exe [688:760] 000007fefd22df50
Thread C:\Windows\system32\svchost.exe [844:876] 000007fefc961558
Thread C:\Windows\system32\svchost.exe [844:888] 000007fefc8a332c
Thread C:\Windows\system32\svchost.exe [844:892] 000007fefc8a10b0
Thread C:\Windows\System32\svchost.exe [860:2076] 000007fef93e42c8
Thread C:\Windows\System32\svchost.exe [860:2084] 000007fef9405fd0
Thread C:\Windows\System32\svchost.exe [860:2088] 000007fef94063ec
Thread C:\Windows\System32\svchost.exe [860:4464] 000007fef93a88f8
Thread C:\Windows\System32\svchost.exe [860:4036] 000007fef91744e0
Thread C:\Windows\system32\svchost.exe [1048:4488] 000007fef2e16ed4
Thread C:\Windows\system32\svchost.exe [1048:4492] 000007fef2e16b8c
Thread C:\Windows\system32\svchost.exe [1172:1272] 000007fefaa68274
Thread C:\Windows\system32\svchost.exe [1172:3224] 000007fefaa68274
Thread C:\Windows\system32\svchost.exe [1284:4736] 000007feeba283d8
Thread C:\Windows\system32\svchost.exe [1284:2740] 000007feeba283d8
Thread C:\Windows\system32\svchost.exe [1284:1240] 000007feeb903f1c
Thread C:\Windows\system32\svchost.exe [1284:1680] 000007feef2b1a38
Thread C:\Windows\system32\svchost.exe [1284:1612] 000007feeb8d5388
Thread C:\Windows\system32\svchost.exe [1284:1028] 000007feeb8b7738
Thread C:\Windows\system32\svchost.exe [1284:1720] 000007feeb8a1f90
Thread C:\Windows\system32\svchost.exe [1284:5004] 000007fef70f5170
Thread C:\Windows\system32\svchost.exe [1436:1684] 000007fefd011a70
Thread C:\Windows\system32\svchost.exe [1436:1696] 000007fefd011a70
Thread C:\Windows\system32\svchost.exe [1436:1732] 000007fefd011a70
Thread C:\Windows\system32\svchost.exe [1436:1752] 000007fef9b42c70
Thread C:\Windows\system32\svchost.exe [1436:1760] 000007fef9b71000
Thread C:\Windows\system32\svchost.exe [1436:1776] 000007fef9b4fb40
Thread C:\Windows\system32\svchost.exe [1436:1784] 000007fef9b61d20
Thread C:\Windows\system32\svchost.exe [1436:1788] 000007fef9b4f6f0
Thread C:\Windows\system32\svchost.exe [1436:1948] 000007fef98c35c0
Thread C:\Windows\system32\svchost.exe [1436:2724] 000007fef98c5600
Thread C:\Windows\system32\svchost.exe [1436:3124] 000007fef6a12940
Thread C:\Windows\system32\svchost.exe [1436:3268] 000007fef6572888
Thread C:\Windows\System32\spoolsv.exe [1640:3328] 000007fef63710c8
Thread C:\Windows\System32\spoolsv.exe [1640:3336] 000007fef6336144
Thread C:\Windows\System32\spoolsv.exe [1640:3340] 000007fef9405fd0
Thread C:\Windows\System32\spoolsv.exe [1640:3344] 000007fef7d63438
Thread C:\Windows\System32\spoolsv.exe [1640:3348] 000007fef94063ec
Thread C:\Windows\System32\spoolsv.exe [1640:3356] 000007fef6405e5c
Thread C:\Windows\System32\spoolsv.exe [1640:3360] 000007fef6435074
Thread C:\Windows\system32\taskhost.exe [3228:3320] 000007fef6552740
Thread C:\Windows\system32\taskhost.exe [3228:3404] 000007fef61f1f38
Thread C:\Windows\system32\taskhost.exe [3228:3496] 000007fefb4c1010
Thread C:\Windows\system32\taskhost.exe [3228:3596] 000007feff08c608
Thread [3792:4056] 00000000778b2e25
Thread [3792:4064] 00000000778b3e45
Thread [3792:4084] 0000000074db27e1
Thread [3792:4368] 00000000778b7111
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167559060
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167559060@0016b8b20269 0xD5 0x54 0xFD 0xD4 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167559060@001a89c341ea 0xB5 0xB2 0x42 0xFA ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167559060@9463d16169f7 0x56 0xF2 0x6E 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 15444
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 15010
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0xC0 0x0C 0x9F ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0x59 0xD6 0x7D ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167559060 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167559060@0016b8b20269 0xD5 0x54 0xFD 0xD4 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167559060@001a89c341ea 0xB5 0xB2 0x42 0xFA ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167559060@9463d16169f7 0x56 0xF2 0x6E 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0xC0 0x0C 0x9F ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0x59 0xD6 0x7D ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\gry\Redemption Cemetery-Grave Testimony. Collector\x2019s Edition (2012).exe 1
---- Files - GMER 2.1 ----
File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes
---- EOF - GMER 2.1 ----
Użytkownicy przeglądający to forum: Brak zarejestrowanych użytkowników oraz 12 gości