GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-16 10:26:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVT-22A23T0 rev.01.01A01 232,89GB Running: ze3b5wjt.exe; Driver: C:\Users\Tomasz\AppData\Local\Temp\kfwdipod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e51360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e51560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e51360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e51560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[608] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee44750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076be6ef0 6 bytes {JMP QWORD [RIP+0x97f9140]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076be8184 6 bytes {JMP QWORD [RIP+0x98d7eac]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SetParent 0000000076be8530 6 bytes {JMP QWORD [RIP+0x9817b00]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076be9bcc 6 bytes {JMP QWORD [RIP+0x9576464]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!PostMessageA 0000000076bea404 6 bytes {JMP QWORD [RIP+0x95b5c2c]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!EnableWindow 0000000076beaaa0 6 bytes {JMP QWORD [RIP+0x9915590]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!MoveWindow 0000000076beaad0 6 bytes {JMP QWORD [RIP+0x9835560]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076bec720 6 bytes {JMP QWORD [RIP+0x97d3910]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076becd50 6 bytes {JMP QWORD [RIP+0x98b32e0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076bed2b0 6 bytes {JMP QWORD [RIP+0x95f2d80]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendMessageA 0000000076bed338 6 bytes {JMP QWORD [RIP+0x9632cf8]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076bedc40 6 bytes {JMP QWORD [RIP+0x97123f0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076bef510 6 bytes {JMP QWORD [RIP+0x98f0b20]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076bef874 6 bytes {JMP QWORD [RIP+0x95307bc]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076befac0 6 bytes {JMP QWORD [RIP+0x9690570]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076bf0b74 6 bytes {JMP QWORD [RIP+0x960f4bc]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076bf33b0 6 bytes {JMP QWORD [RIP+0x958cc80]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076bf4d4d 5 bytes {JMP QWORD [RIP+0x954b2e4]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!GetKeyState 0000000076bf5010 6 bytes {JMP QWORD [RIP+0x97ab020]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076bf5438 6 bytes {JMP QWORD [RIP+0x96cabf8]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendMessageW 0000000076bf6b50 6 bytes {JMP QWORD [RIP+0x96494e0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!PostMessageW 0000000076bf76e4 6 bytes {JMP QWORD [RIP+0x95c894c]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076bfdd90 6 bytes {JMP QWORD [RIP+0x97422a0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076bfe874 6 bytes {JMP QWORD [RIP+0x98817bc]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076bff780 6 bytes {JMP QWORD [RIP+0x98408b0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076c028e4 6 bytes {JMP QWORD [RIP+0x96dd74c]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!mouse_event 0000000076c03894 6 bytes {JMP QWORD [RIP+0x94dc79c]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076c08a10 6 bytes {JMP QWORD [RIP+0x9777620]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076c08be0 6 bytes {JMP QWORD [RIP+0x9657450]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c08c20 6 bytes {JMP QWORD [RIP+0x94f7410]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendInput 0000000076c08cd0 6 bytes {JMP QWORD [RIP+0x9757360]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!BlockInput 0000000076c0ad60 6 bytes {JMP QWORD [RIP+0x98552d0]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076c314e0 6 bytes {JMP QWORD [RIP+0x98eeb50]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!keybd_event 0000000076c545a4 6 bytes {JMP QWORD [RIP+0x946ba8c]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076c5cc08 6 bytes {JMP QWORD [RIP+0x96c3428]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076c5df18 6 bytes {JMP QWORD [RIP+0x9642118]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\services.exe[608] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd02a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd050c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\lsass.exe[624] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee44750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[796] c:\windows\system32\SspiCli.dll!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee44750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd02a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd050c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes JMP 36373030 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes JMP 7304c1 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 15aad .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd02a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd050c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes JMP 656d614e .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes JMP 6e0072 .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes JMP 124330 .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes JMP 6b0361 .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\System32\svchost.exe[432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 15aad .text C:\Windows\System32\svchost.exe[432] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes JMP 954dfc0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes JMP 45481 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes JMP 794681 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes JMP 13d7001 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes JMP 68ca01 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes JMP 2 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes JMP 350038 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes JMP 370037 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes JMP daf401 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes JMP a776cd8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes JMP a164279 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes JMP 94771c0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes JMP 950d0f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes JMP 70044e8 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes JMP 370037 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes JMP 90a3778 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes JMP 4e72401 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes JMP 828f1a9 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes JMP 46837a0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes JMP 1d0021 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes JMP 5c0046 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd02a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd050c10 6 bytes JMP 1f501f40 .text C:\Windows\System32\svchost.exe[492] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee44750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes JMP 5d24 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes JMP 1000100 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 2a1c09 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 294640 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 3a0063 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd02a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd050c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[980] c:\windows\system32\SspiCli.dll!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 4fba639f .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefee44750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd02a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd050c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes JMP de .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 310000 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x2fdd60]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x31db78]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x33a450]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0x2b7cac]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0x29766c]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0x2d6cf4]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x353780]} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes JMP f4ad22d0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes JMP 65006e .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes JMP 72015a .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes JMP 800f63c .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 8 .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 4e0072 .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076be6ef0 6 bytes {JMP QWORD [RIP+0x97f9140]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076be8184 6 bytes {JMP QWORD [RIP+0x98d7eac]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SetParent 0000000076be8530 6 bytes {JMP QWORD [RIP+0x9817b00]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076be9bcc 6 bytes {JMP QWORD [RIP+0x9576464]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!PostMessageA 0000000076bea404 6 bytes {JMP QWORD [RIP+0x95b5c2c]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!EnableWindow 0000000076beaaa0 6 bytes {JMP QWORD [RIP+0x9915590]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!MoveWindow 0000000076beaad0 6 bytes {JMP QWORD [RIP+0x9835560]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076bec720 6 bytes {JMP QWORD [RIP+0x97d3910]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076becd50 6 bytes {JMP QWORD [RIP+0x98b32e0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076bed2b0 6 bytes {JMP QWORD [RIP+0x95f2d80]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendMessageA 0000000076bed338 6 bytes {JMP QWORD [RIP+0x9632cf8]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076bedc40 6 bytes {JMP QWORD [RIP+0x97123f0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076bef510 6 bytes {JMP QWORD [RIP+0x98f0b20]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076bef874 6 bytes {JMP QWORD [RIP+0x95307bc]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076befac0 6 bytes {JMP QWORD [RIP+0x9690570]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076bf0b74 6 bytes {JMP QWORD [RIP+0x960f4bc]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076bf33b0 6 bytes {JMP QWORD [RIP+0x958cc80]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076bf4d4d 5 bytes {JMP QWORD [RIP+0x954b2e4]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!GetKeyState 0000000076bf5010 6 bytes {JMP QWORD [RIP+0x97ab020]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076bf5438 6 bytes {JMP QWORD [RIP+0x96cabf8]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendMessageW 0000000076bf6b50 6 bytes {JMP QWORD [RIP+0x96494e0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!PostMessageW 0000000076bf76e4 6 bytes {JMP QWORD [RIP+0x95c894c]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076bfdd90 6 bytes {JMP QWORD [RIP+0x97422a0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076bfe874 6 bytes {JMP QWORD [RIP+0x98817bc]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076bff780 6 bytes {JMP QWORD [RIP+0x98408b0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076c028e4 6 bytes {JMP QWORD [RIP+0x96dd74c]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!mouse_event 0000000076c03894 6 bytes {JMP QWORD [RIP+0x94dc79c]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076c08a10 6 bytes {JMP QWORD [RIP+0x9777620]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076c08be0 6 bytes {JMP QWORD [RIP+0x9657450]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c08c20 6 bytes {JMP QWORD [RIP+0x94f7410]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendInput 0000000076c08cd0 6 bytes {JMP QWORD [RIP+0x9757360]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!BlockInput 0000000076c0ad60 6 bytes {JMP QWORD [RIP+0x98552d0]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076c314e0 6 bytes {JMP QWORD [RIP+0x98eeb50]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!keybd_event 0000000076c545a4 6 bytes {JMP QWORD [RIP+0x946ba8c]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076c5cc08 6 bytes {JMP QWORD [RIP+0x96c3428]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076c5df18 6 bytes {JMP QWORD [RIP+0x9642118]} .text C:\Windows\Explorer.EXE[1592] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x2fdd60]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x31db78]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x33a450]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0x2b7cac]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0x29766c]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x374648]} .text C:\Program Files\Zune\ZuneLauncher.exe[1964] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x353780]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\svchost.exe[1432] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes {JMP QWORD [RIP+0xc7cac]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes {JMP QWORD [RIP+0xe6cf4]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefca450a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fff9e0 3 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076fff9e4 2 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fffcb0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076fffcb4 2 bytes [C5, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076fffd64 3 bytes JMP 6fb1000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076fffd68 2 bytes JMP 6fb1000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fffdc8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076fffdcc 2 bytes [B6, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fffec0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076fffec4 2 bytes [AD, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076ffffa4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076ffffa8 2 bytes [B9, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077000004 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077000008 2 bytes [D1, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077000084 3 bytes JMP 6fcf000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077000088 2 bytes JMP 6fcf000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770000b4 3 bytes JMP 6fb4000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000770000b8 2 bytes JMP 6fb4000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000770003b8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000770003bc 2 bytes [A1, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077000550 3 bytes JMP 6fd5000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077000554 2 bytes JMP 6fd5000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077000694 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077000698 2 bytes [C2, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007700088c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077000890 2 bytes [AA, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770008a4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000770008a8 2 bytes [A4, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077000df4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077000df8 2 bytes [BF, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077000ed8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077000edc 2 bytes [A7, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077001be4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077001be8 2 bytes [BC, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077001cb4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077001cb8 2 bytes [CB, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077001d8c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077001d90 2 bytes [C8, 6F] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077021287 6 bytes JMP 71a8000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007674103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076741072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007676a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007676c965 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\SearchIndexer.exe[2884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076e51430 8 bytes JMP 000000016fff00d8 .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes JMP a548a540 .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\System32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076be6ef0 6 bytes {JMP QWORD [RIP+0x97f9140]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076be8184 6 bytes {JMP QWORD [RIP+0x98d7eac]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SetParent 0000000076be8530 6 bytes {JMP QWORD [RIP+0x9817b00]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076be9bcc 6 bytes {JMP QWORD [RIP+0x9576464]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!PostMessageA 0000000076bea404 6 bytes {JMP QWORD [RIP+0x95b5c2c]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!EnableWindow 0000000076beaaa0 6 bytes {JMP QWORD [RIP+0x9915590]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!MoveWindow 0000000076beaad0 6 bytes {JMP QWORD [RIP+0x9835560]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076bec720 6 bytes {JMP QWORD [RIP+0x97d3910]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076becd50 6 bytes {JMP QWORD [RIP+0x98b32e0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076bed2b0 6 bytes {JMP QWORD [RIP+0x95f2d80]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendMessageA 0000000076bed338 6 bytes {JMP QWORD [RIP+0x9632cf8]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076bedc40 6 bytes {JMP QWORD [RIP+0x97123f0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076bef510 6 bytes {JMP QWORD [RIP+0x98f0b20]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076bef874 6 bytes {JMP QWORD [RIP+0x95307bc]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076befac0 6 bytes {JMP QWORD [RIP+0x9690570]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076bf0b74 6 bytes {JMP QWORD [RIP+0x960f4bc]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076bf33b0 6 bytes {JMP QWORD [RIP+0x958cc80]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076bf4d4d 5 bytes {JMP QWORD [RIP+0x954b2e4]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!GetKeyState 0000000076bf5010 6 bytes {JMP QWORD [RIP+0x97ab020]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076bf5438 6 bytes {JMP QWORD [RIP+0x96cabf8]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendMessageW 0000000076bf6b50 6 bytes {JMP QWORD [RIP+0x96494e0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!PostMessageW 0000000076bf76e4 6 bytes {JMP QWORD [RIP+0x95c894c]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076bfdd90 6 bytes {JMP QWORD [RIP+0x97422a0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076bfe874 6 bytes {JMP QWORD [RIP+0x98817bc]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076bff780 6 bytes {JMP QWORD [RIP+0x98408b0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076c028e4 6 bytes {JMP QWORD [RIP+0x96dd74c]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!mouse_event 0000000076c03894 6 bytes {JMP QWORD [RIP+0x94dc79c]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076c08a10 6 bytes {JMP QWORD [RIP+0x9777620]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076c08be0 6 bytes {JMP QWORD [RIP+0x9657450]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c08c20 6 bytes {JMP QWORD [RIP+0x94f7410]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendInput 0000000076c08cd0 6 bytes {JMP QWORD [RIP+0x9757360]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!BlockInput 0000000076c0ad60 6 bytes {JMP QWORD [RIP+0x98552d0]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076c314e0 6 bytes {JMP QWORD [RIP+0x98eeb50]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!keybd_event 0000000076c545a4 6 bytes {JMP QWORD [RIP+0x946ba8c]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076c5cc08 6 bytes {JMP QWORD [RIP+0x96c3428]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076c5df18 6 bytes {JMP QWORD [RIP+0x9642118]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes JMP c .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[4084] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes CALL 79000026 .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes {JMP QWORD [RIP+0x10dd60]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes {JMP QWORD [RIP+0x12db78]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes {JMP QWORD [RIP+0xa766c]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x294648]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes {JMP QWORD [RIP+0x273780]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd02a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\DllHost.exe[1364] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd050c10 6 bytes JMP 1ca .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e23b10 6 bytes {JMP QWORD [RIP+0x921c520]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e513a0 6 bytes {JMP QWORD [RIP+0x91cec90]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e51570 6 bytes {JMP QWORD [RIP+0x978eac0]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e515e0 6 bytes {JMP QWORD [RIP+0x986ea50]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e51620 6 bytes {JMP QWORD [RIP+0x982ea10]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076e516c0 6 bytes {JMP QWORD [RIP+0x988e970]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e51750 6 bytes {JMP QWORD [RIP+0x980e8e0]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e51790 6 bytes {JMP QWORD [RIP+0x970e8a0]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e517e0 6 bytes {JMP QWORD [RIP+0x972e850]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e51800 6 bytes {JMP QWORD [RIP+0x984e830]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076e519f0 6 bytes {JMP QWORD [RIP+0x990e640]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e51b00 6 bytes {JMP QWORD [RIP+0x96ee530]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076e51bd0 6 bytes {JMP QWORD [RIP+0x97ae460]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076e51d20 6 bytes {JMP QWORD [RIP+0x98ae310]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e51d30 6 bytes {JMP QWORD [RIP+0x98ee300]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e520a0 6 bytes {JMP QWORD [RIP+0x97cdf90]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e52130 6 bytes {JMP QWORD [RIP+0x98cdf00]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e529a0 6 bytes {JMP QWORD [RIP+0x97ed690]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e52a20 4 bytes [FF, 25, 10, D6] .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 5 0000000076e52a25 1 byte [09] .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e52aa0 6 bytes {JMP QWORD [RIP+0x976d590]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 0000000076cea420 6 bytes {JMP QWORD [RIP+0x93b5c10]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000076d01b50 6 bytes {JMP QWORD [RIP+0x935e4e0]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076d3eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000076d78810 6 bytes {JMP QWORD [RIP+0x9307820]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcce9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefccf53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefdfe22d0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!BitBlt 000007fefdfe24b8 6 bytes JMP 2e352e32 .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefdfe5be0 6 bytes JMP fab50020 .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefdfe8384 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefdfe89c4 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!GetPixel 000007fefdfe933c 6 bytes JMP 7ff .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefdfeb9e8 6 bytes {JMP QWORD [RIP+0x374648]} .text C:\Windows\system32\AUDIODG.EXE[832] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefdfec8b0 6 bytes JMP 0 .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076fff9e0 3 bytes JMP 71af000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076fff9e4 2 bytes JMP 71af000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076fffcb0 3 bytes JMP 70f7000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076fffcb4 2 bytes JMP 70f7000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076fffd64 3 bytes JMP 70e2000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076fffd68 2 bytes JMP 70e2000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076fffdc8 3 bytes JMP 70e8000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076fffdcc 2 bytes JMP 70e8000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076fffec0 3 bytes JMP 70df000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076fffec4 2 bytes JMP 70df000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076ffffa4 3 bytes JMP 70eb000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076ffffa8 2 bytes JMP 70eb000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077000004 3 bytes JMP 7103000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077000008 2 bytes JMP 7103000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077000084 3 bytes JMP 7100000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077000088 2 bytes JMP 7100000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770000b4 3 bytes JMP 70e5000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000770000b8 2 bytes JMP 70e5000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000770003b8 3 bytes JMP 70d3000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000770003bc 2 bytes JMP 70d3000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077000550 3 bytes JMP 7106000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077000554 2 bytes JMP 7106000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077000694 3 bytes JMP 70f4000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077000698 2 bytes JMP 70f4000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007700088c 3 bytes JMP 70dc000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077000890 2 bytes JMP 70dc000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770008a4 3 bytes JMP 70d6000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000770008a8 2 bytes JMP 70d6000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077000df4 3 bytes JMP 70f1000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077000df8 2 bytes JMP 70f1000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077000ed8 3 bytes JMP 70d9000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077000edc 2 bytes JMP 70d9000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077001be4 3 bytes JMP 70ee000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077001be8 2 bytes JMP 70ee000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077001cb4 3 bytes JMP 70fd000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077001cb8 2 bytes JMP 70fd000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077001d8c 3 bytes JMP 70fa000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077001d90 2 bytes JMP 70fa000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077021287 6 bytes JMP 71a8000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007674103d 6 bytes JMP 719c000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076741072 6 bytes JMP 7199000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007676a2ba 1 byte [62] .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007676c965 6 bytes JMP 7190000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074e6f776 6 bytes JMP 719f000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074e72c91 4 bytes CALL 71ac0000 .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075458332 6 bytes JMP 7160000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075458bff 6 bytes JMP 7154000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000754590d3 6 bytes JMP 710f000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075459679 6 bytes JMP 714e000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000754597d2 6 bytes JMP 7148000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007545ee09 6 bytes JMP 7166000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007545efc9 3 bytes JMP 7115000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007545efcd 2 bytes JMP 7115000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000754612a5 6 bytes JMP 715a000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007546291f 6 bytes JMP 712d000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetParent 0000000075462d64 3 bytes JMP 7124000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075462d68 2 bytes JMP 7124000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075462da4 6 bytes JMP 710c000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075463698 3 bytes JMP 7121000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007546369c 2 bytes JMP 7121000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075463baa 6 bytes JMP 715d000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075463c61 6 bytes JMP 7157000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075466110 6 bytes JMP 7163000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007546612e 6 bytes JMP 7151000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075466c30 6 bytes JMP 7112000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075467603 6 bytes JMP 7169000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075467668 6 bytes JMP 713c000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000754676e0 6 bytes JMP 7142000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007546781f 6 bytes JMP 714b000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007546835c 6 bytes JMP 716c000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007546c4b6 3 bytes JMP 711e000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007546c4ba 2 bytes JMP 711e000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007547c112 6 bytes JMP 7139000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007547d0f5 6 bytes JMP 7136000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007547eb96 6 bytes JMP 712a000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007547ec68 3 bytes JMP 7130000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007547ec6c 2 bytes JMP 7130000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendInput 000000007547ff4a 3 bytes JMP 7133000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007547ff4e 2 bytes JMP 7133000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075499f1d 6 bytes JMP 7118000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000754a1497 6 bytes JMP 7109000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!mouse_event 00000000754b027b 6 bytes JMP 716f000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!keybd_event 00000000754b02bf 6 bytes JMP 7172000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000754b6cfc 6 bytes JMP 7145000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000754b6d5d 6 bytes JMP 713f000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!BlockInput 00000000754b7dd7 3 bytes JMP 711b000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000754b7ddb 2 bytes JMP 711b000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000754b88eb 3 bytes JMP 7127000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000754b88ef 2 bytes JMP 7127000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765b58b3 6 bytes JMP 7184000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765b5ea6 6 bytes JMP 717e000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765b7bcc 6 bytes JMP 718d000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765bb895 6 bytes JMP 7175000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765bc332 6 bytes JMP 717b000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765bcbfb 6 bytes JMP 7187000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765be743 6 bytes JMP 718a000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000765e480f 6 bytes JMP 7178000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076672642 6 bytes JMP 7196000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076675429 6 bytes JMP 7193000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074a2124e 6 bytes JMP 7181000a .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b21465 2 bytes [B2, 74] .text C:\Users\Tomasz\Desktop\Download\ze3b5wjt.exe[3880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b214bb 2 bytes [B2, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [4084:1004] 000007fef02f9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1864:1776] 000007fefb592a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1864:448] 000007fef9925124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\BITS Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----