GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-24 22:46:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.D005DEM1 465,76GB Running: 51fix0vs.exe; Driver: C:\Users\wojtek\AppData\Local\Temp\pxldapod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff800031b3000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff800031b302f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x8c6e900]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x8f0e640]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x8c8e420]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x8cce380]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x8cae320]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\lsm.exe[736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsm.exe[736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f1430 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x8c6e900]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x8f0e640]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x8c8e420]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x8cce380]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x8cae320]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x8c6e900]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x8f0e640]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x8c8e420]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x8cce380]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x8cae320]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes JMP ab8e81 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes JMP 7cfb708 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes JMP 5e0d559 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes JMP 814e211 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes JMP a3b8c20 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes JMP 5ee3bd1 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes JMP 7345f79 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes JMP 5ee6f49 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes JMP 5dfa3d1 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes JMP 3f .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes JMP c24481 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes JMP 9fbf180 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes JMP 75d17b8 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes JMP 240024 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes JMP 17c7081 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes JMP a563590 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes JMP 5dfab89 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes JMP a30ae30 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes JMP 3495480 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes JMP 68606f1 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes JMP 8dab850 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes JMP 20027 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes JMP a065c30 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes JMP ffffffff .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007779db80 6 bytes {JMP QWORD [RIP+0x88c24b0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x8c6e900]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x8f0e640]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x8c8e420]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x8cce380]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x8cae320]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x8c6e900]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x8f0e640]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x8c8e420]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x8cce380]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x8cae320]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007779db80 6 bytes {JMP QWORD [RIP+0x88c24b0]} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde13e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1172] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000012350a0 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x8c6e900]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x8f0e640]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x8c8e420]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x8cce380]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x8cae320]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 23] .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007543124e 6 bytes JMP 718d000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075998332 6 bytes JMP 716c000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075998bff 6 bytes JMP 7160000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759990d3 6 bytes JMP 711b000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075999679 6 bytes JMP 715a000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759997d2 6 bytes JMP 7154000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007599ee09 6 bytes JMP 7172000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007599efc9 3 bytes JMP 7121000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007599efcd 2 bytes JMP 7121000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759a12a5 6 bytes JMP 7166000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759a291f 6 bytes JMP 7139000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetParent 00000000759a2d64 3 bytes JMP 7130000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759a2d68 2 bytes JMP 7130000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759a2da4 6 bytes JMP 7118000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759a3698 3 bytes JMP 712d000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759a369c 2 bytes JMP 712d000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759a3baa 6 bytes JMP 7169000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759a3c61 6 bytes JMP 7163000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759a6110 6 bytes JMP 716f000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759a612e 6 bytes JMP 715d000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759a6c30 6 bytes JMP 711e000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759a7603 6 bytes JMP 7175000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759a7668 6 bytes JMP 7148000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759a76e0 6 bytes JMP 714e000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759a781f 6 bytes JMP 7157000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759a835c 6 bytes JMP 7178000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ac4b6 3 bytes JMP 712a000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ac4ba 2 bytes JMP 712a000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759bc112 6 bytes JMP 7145000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759bd0f5 6 bytes JMP 7142000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759beb96 6 bytes JMP 7136000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759bec68 3 bytes JMP 713c000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759bec6c 2 bytes JMP 713c000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendInput 00000000759bff4a 3 bytes JMP 713f000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759bff4e 2 bytes JMP 713f000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000759d9f1d 6 bytes JMP 7124000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000759e1497 6 bytes JMP 7115000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!mouse_event 00000000759f027b 6 bytes JMP 717b000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!keybd_event 00000000759f02bf 6 bytes JMP 717e000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000759f6cfc 6 bytes JMP 7151000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000759f6d5d 6 bytes JMP 714b000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!BlockInput 00000000759f7dd7 3 bytes JMP 7127000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000759f7ddb 2 bytes JMP 7127000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000759f88eb 3 bytes JMP 7133000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000759f88ef 2 bytes JMP 7133000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075d758b3 6 bytes JMP 7190000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075d75ea6 6 bytes JMP 718a000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075d77bcc 6 bytes JMP 7199000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075d7b895 6 bytes JMP 7181000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075d7c332 6 bytes JMP 7187000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075d7cbfb 6 bytes JMP 7193000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075d7e743 6 bytes JMP 7196000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075da4857 6 bytes JMP 7184000a .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 76cfb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 76cfb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 76d78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 76cd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 76d787a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 76d78978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 76d78698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 76d78a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 76cefca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76cf68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 76d78f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 76d78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 76d7865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 76cefd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 76cfb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 76d78e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\KMService.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 76d785f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x8d6eac0]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x8c6e900]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x8cee8a0]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x8d0e850]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x8f0e640]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x8c8e420]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x8cce380]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x8cae320]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[2424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\unsecapp.exe[2424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[2660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[2660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1022cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe1024c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe105bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe108398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe1089d8 6 bytes {JMP QWORD [RIP+0x197658]} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1089f0 8 bytes JMP 000007fffd6701f0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe109344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe10b9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe10be50 8 bytes JMP 000007fffd6701b8 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe10c8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x877c520]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x872ec90]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x8ecebc0]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x8e0ea10]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x8e6e970]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes JMP 80000000 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x8dee8e0]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes JMP 55000000 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x8c2e630]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x8c0e530]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes JMP ff000000 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes JMP ffffffff C:\Windows\Explorer.EXE .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x8e8e310]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x8eee300]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x8dadf90]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x8eadf00]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x8dcd690]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x8d2d610]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x8d4d590]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007779db80 6 bytes {JMP QWORD [RIP+0x88c24b0]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1022cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe1024c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe105bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe108398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe1089d8 6 bytes {JMP QWORD [RIP+0x197658]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe109344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe10b9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe10c8e0 6 bytes JMP 300f90 .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd4250a0 6 bytes JMP 9b3 .text C:\Windows\system32\wbem\wmiprvse.exe[3404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[3404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[3428] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd6c2db0 5 bytes JMP 000007fffd670180 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[3428] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6c37d0 7 bytes JMP 000007fffd6700d8 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[3428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd6c8ef0 6 bytes JMP 000007fffd670148 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[3428] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd6daf60 5 bytes JMP 000007fffd670110 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[3428] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1089f0 8 bytes JMP 000007fffd6701f0 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[3428] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe10be50 8 bytes JMP 000007fffd6701b8 .text C:\Windows\System32\hkcmd.exe[3784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\hkcmd.exe[3784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a9f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a9f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a9fb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a9fb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a9fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a9fcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a9fd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a9fd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a9fdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a9fdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a9fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a9fec4 2 bytes [D8, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a9ff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a9ff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a9ffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a9ffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077aa0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077aa0008 2 bytes [FC, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077aa0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077aa0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077aa00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077aa00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077aa03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077aa03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077aa03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077aa03d4 2 bytes [0E, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077aa0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077aa0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077aa0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077aa0698 2 bytes [ED, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077aa06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077aa06f8 2 bytes [05, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077aa079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077aa07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077aa07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077aa07e8 2 bytes [FF, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077aa0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077aa0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077aa088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077aa0890 2 bytes [D5, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077aa08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077aa08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077aa0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077aa0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077aa0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077aa0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077aa1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077aa1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077aa1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077aa1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077aa1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077aa1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ac1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cd1f0e 7 bytes JMP 0000000174fd4b10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cd5bad 7 bytes JMP 0000000174fd54b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ce1409 7 bytes JMP 0000000174fd4e50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ce3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ce3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076ceea45 7 bytes JMP 0000000174fd4b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d78e24 7 bytes JMP 0000000174fd45c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d78ea9 5 bytes JMP 0000000174fd4670 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d791ff 5 bytes JMP 0000000174fd45d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007551f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075521d29 5 bytes JMP 0000000174fd4580 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075521dd7 5 bytes JMP 0000000174fd4540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075522ab1 5 bytes JMP 0000000174fd4680 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075522c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075522d17 5 bytes JMP 0000000174fd4360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007543124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075998332 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075998a29 5 bytes JMP 0000000174fd3a40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075998bff 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759990d3 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075999679 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759997d2 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007599ee09 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007599efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007599efcd 2 bytes [20, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759a12a5 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759a291f 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetParent 00000000759a2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759a2d68 2 bytes [2F, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759a2da4 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759a3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759a369c 2 bytes [2C, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759a3baa 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759a3c61 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759a4572 5 bytes JMP 0000000174fd42e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759a6110 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759a612e 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759a6c30 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759a7603 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759a7668 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759a76e0 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759a781f 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759a835c 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ac4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ac4ba 2 bytes [29, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759bc112 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759bd0f5 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759be567 5 bytes JMP 0000000174fd4350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759beb96 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759bec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759bec6c 2 bytes [3B, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendInput 00000000759bff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759bff4e 2 bytes [3E, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000759d9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000759e07d7 5 bytes JMP 0000000174fd3850 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000759e1497 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!mouse_event 00000000759f027b 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!keybd_event 00000000759f02bf 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000759f6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000759f6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000759f7a5c 5 bytes JMP 0000000174fd42d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!BlockInput 00000000759f7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000759f7ddb 2 bytes [26, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000759f88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000759f88ef 2 bytes [32, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075d758b3 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075d75ea6 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075d77bcc 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075d7b895 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075d7c332 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075d7cbfb 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075d7e743 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d8e96b 5 bytes JMP 0000000174fd3b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d8eba5 5 bytes JMP 0000000174fd3b80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3848] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075da4857 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a9f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a9f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a9fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a9fb2c 2 bytes [CF, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a9fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a9fcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a9fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a9fd68 2 bytes [DB, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a9fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a9fdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a9fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a9fec4 2 bytes [D8, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a9ff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a9ff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a9ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a9ffa8 2 bytes [E4, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077aa0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077aa0008 2 bytes [FC, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077aa0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077aa0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077aa00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077aa00b8 2 bytes [DE, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077aa03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077aa03bc 2 bytes [C9, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077aa03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077aa03d4 2 bytes [0E, 71] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077aa0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077aa0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077aa0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077aa0698 2 bytes [ED, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077aa06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077aa06f8 2 bytes [05, 71] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077aa079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077aa07a0 2 bytes [0B, 71] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077aa07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077aa07e8 2 bytes [FF, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077aa0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077aa0878 2 bytes [02, 71] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077aa088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077aa0890 2 bytes [D5, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077aa08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077aa08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077aa0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077aa0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077aa0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077aa0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077aa1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077aa1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077aa1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077aa1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077aa1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077aa1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ac1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cd1f0e 7 bytes JMP 0000000174fd4b10 .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cd5bad 7 bytes JMP 0000000174fd54b0 .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ce1409 7 bytes JMP 0000000174fd4e50 .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ce3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ce3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076ceea45 7 bytes JMP 0000000174fd4b00 .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d78e24 7 bytes JMP 0000000174fd45c0 .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d78ea9 5 bytes JMP 0000000174fd4670 .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[4288] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d791ff 5 bytes JMP 0000000174fd45d0 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a9f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a9f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a9fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a9fb2c 2 bytes [CF, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a9fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a9fcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a9fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a9fd68 2 bytes [DB, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a9fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a9fdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a9fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a9fec4 2 bytes [D8, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a9ff74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a9ff78 2 bytes [08, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a9ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a9ffa8 2 bytes [E4, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077aa0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077aa0008 2 bytes [FC, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077aa0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077aa0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077aa00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077aa00b8 2 bytes [DE, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077aa03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077aa03bc 2 bytes [C9, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077aa03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077aa03d4 2 bytes [0E, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077aa0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077aa0554 2 bytes [11, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077aa0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077aa0698 2 bytes [ED, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077aa06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077aa06f8 2 bytes [05, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077aa079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077aa07a0 2 bytes [0B, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077aa07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077aa07e8 2 bytes [FF, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077aa0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077aa0878 2 bytes [02, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077aa088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077aa0890 2 bytes [D5, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077aa08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077aa08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077aa0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077aa0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077aa0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077aa0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077aa1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077aa1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077aa1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077aa1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077aa1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077aa1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ac1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cd1f0e 7 bytes JMP 0000000174fd4b10 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cd5bad 7 bytes JMP 0000000174fd54b0 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ce1409 7 bytes JMP 0000000174fd4e50 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ce3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ce3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076ceea45 7 bytes JMP 0000000174fd4b00 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d78e24 7 bytes JMP 0000000174fd45c0 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d78ea9 5 bytes JMP 0000000174fd4670 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[4296] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d791ff 5 bytes JMP 0000000174fd45d0 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cd1f0e 7 bytes JMP 0000000174fd4b10 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cd5bad 7 bytes JMP 0000000174fd54b0 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ce1409 7 bytes JMP 0000000174fd4e50 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ce3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ce3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076ceea45 7 bytes JMP 0000000174fd4b00 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d78e24 7 bytes JMP 0000000174fd45c0 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d78ea9 5 bytes JMP 0000000174fd4670 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4944] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d791ff 5 bytes JMP 0000000174fd45d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6024] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007551f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075522c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\system32\wuauclt.exe[2700] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4f7490 11 bytes JMP 000007fffd670228 .text C:\Windows\system32\wuauclt.exe[2700] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe50bf00 7 bytes JMP 000007fffd670260 .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe95687c 6 bytes {JMP QWORD [RIP+0xf97b4]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefe958e30 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefe95995c 6 bytes {JMP QWORD [RIP+0x1566d4]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe9599e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe959ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe95a51c 6 bytes {JMP QWORD [RIP+0xd5b14]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe95a530 6 bytes {JMP QWORD [RIP+0xb5b00]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe95a5b0 5 bytes [FF, 25, 80, 5A, 07] .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe95a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe95bb28 6 bytes {JMP QWORD [RIP+0x114508]} .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe95bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[5640] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefe95bb40 2 bytes [13, 00] .text C:\Windows\system32\svchost.exe[5640] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde13e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000778f1370 6 bytes {JMP QWORD [RIP+0x882ecc0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778f13a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778f1470 6 bytes {JMP QWORD [RIP+0x966ebc0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000778f14d0 6 bytes {JMP QWORD [RIP+0x880eb60]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000778f14e0 6 bytes {JMP QWORD [RIP+0x8a6eb50]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 6 bytes {JMP QWORD [RIP+0x955eac0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778f15e0 6 bytes {JMP QWORD [RIP+0x8a4ea50]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 6 bytes {JMP QWORD [RIP+0x89eea10]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000778f1640 6 bytes {JMP QWORD [RIP+0x8a8e9f0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 6 bytes {JMP QWORD [RIP+0x88ae980]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778f16c0 6 bytes {JMP QWORD [RIP+0x960e970]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 6 bytes {JMP QWORD [RIP+0x888e900]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 6 bytes {JMP QWORD [RIP+0x89ce8e0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 6 bytes {JMP QWORD [RIP+0x94de8a0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 6 bytes {JMP QWORD [RIP+0x94fe850]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778f1800 6 bytes {JMP QWORD [RIP+0x8a2e830]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778f19f0 6 bytes {JMP QWORD [RIP+0x87ce640]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778f1a00 6 bytes {JMP QWORD [RIP+0x87ae630]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 6 bytes {JMP QWORD [RIP+0x87ee530]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778f1bd0 6 bytes {JMP QWORD [RIP+0x898e460]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 6 bytes {JMP QWORD [RIP+0x88ce420]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 6 bytes {JMP QWORD [RIP+0x884e3b0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000778f1c90 6 bytes {JMP QWORD [RIP+0x8a0e3a0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778f1cb0 6 bytes {JMP QWORD [RIP+0x894e380]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 6 bytes {JMP QWORD [RIP+0x890e320]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778f1d20 6 bytes {JMP QWORD [RIP+0x962e310]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 6 bytes {JMP QWORD [RIP+0x968e300]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000778f1d90 6 bytes {JMP QWORD [RIP+0x89ae2a0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 6 bytes {JMP QWORD [RIP+0x958df90]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778f2130 6 bytes {JMP QWORD [RIP+0x964df00]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 6 bytes {JMP QWORD [RIP+0x8acdea0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 6 bytes {JMP QWORD [RIP+0x8aade90]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 6 bytes {JMP QWORD [RIP+0x88ede60]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 6 bytes {JMP QWORD [RIP+0x886ddf0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 6 bytes {JMP QWORD [RIP+0x892dda0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000778f27a0 6 bytes {JMP QWORD [RIP+0x896d890]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 6 bytes {JMP QWORD [RIP+0x95ad690]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000778f29c0 6 bytes {JMP QWORD [RIP+0x8aed670]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 6 bytes {JMP QWORD [RIP+0x951d610]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 6 bytes {JMP QWORD [RIP+0x953d590]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000777862e0 4 bytes [FF, 25, 50, 9D] .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW + 5 00000000777862e5 1 byte [08] .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077793a20 6 bytes {JMP QWORD [RIP+0x88ec610]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007779db80 6 bytes {JMP QWORD [RIP+0x90424b0]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000778016e0 6 bytes {JMP QWORD [RIP+0x883e950]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd6c8ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd6c9055 3 bytes CALL 9000027 .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6d53c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1022cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe1024c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe105bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe108398 6 bytes {JMP QWORD [RIP+0x1b7c98]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe1089d8 6 bytes {JMP QWORD [RIP+0x197658]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe109344 6 bytes {JMP QWORD [RIP+0x1d6cec]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe10b9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe10c8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe95687c 6 bytes {JMP QWORD [RIP+0xf97b4]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefe958e30 6 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefe95995c 6 bytes {JMP QWORD [RIP+0x1566d4]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe9599e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe959ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe95a51c 6 bytes {JMP QWORD [RIP+0xd5b14]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe95a530 6 bytes {JMP QWORD [RIP+0xb5b00]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe95a5b0 5 bytes JMP 1000c .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe95a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe95bb28 6 bytes {JMP QWORD [RIP+0x114508]} .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe95bb3c 3 bytes [FF, 25, F4] .text C:\Windows\System32\rundll32.exe[1736] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefe95bb40 2 bytes [13, 00] .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a9f9e0 3 bytes JMP 71af000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a9f9e4 2 bytes JMP 71af000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a9fb28 3 bytes JMP 70d0000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a9fb2c 2 bytes JMP 70d0000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a9fcb0 3 bytes JMP 70f1000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a9fcb4 2 bytes JMP 70f1000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a9fd64 3 bytes JMP 70dc000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a9fd68 2 bytes JMP 70dc000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a9fdc8 3 bytes JMP 70e2000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a9fdcc 2 bytes JMP 70e2000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a9fec0 3 bytes JMP 70d9000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a9fec4 2 bytes JMP 70d9000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a9ff74 3 bytes JMP 7109000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a9ff78 2 bytes JMP 7109000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a9ffa4 3 bytes JMP 70e5000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a9ffa8 2 bytes JMP 70e5000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077aa0004 3 bytes JMP 70fd000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077aa0008 2 bytes JMP 70fd000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077aa0084 3 bytes JMP 70fa000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077aa0088 2 bytes JMP 70fa000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077aa00b4 3 bytes JMP 70df000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077aa00b8 2 bytes JMP 70df000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077aa03b8 3 bytes JMP 70ca000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077aa03bc 2 bytes JMP 70ca000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077aa03d0 3 bytes JMP 710f000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077aa03d4 2 bytes JMP 710f000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077aa0550 3 bytes JMP 7112000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077aa0554 2 bytes JMP 7112000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077aa0694 3 bytes JMP 70ee000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077aa0698 2 bytes JMP 70ee000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077aa06f4 3 bytes JMP 7106000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077aa06f8 2 bytes JMP 7106000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077aa079c 3 bytes JMP 710c000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077aa07a0 2 bytes JMP 710c000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077aa07e4 3 bytes JMP 7100000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077aa07e8 2 bytes JMP 7100000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077aa0874 3 bytes JMP 7103000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077aa0878 2 bytes JMP 7103000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077aa088c 3 bytes JMP 70d6000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077aa0890 2 bytes JMP 70d6000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077aa08a4 3 bytes JMP 70cd000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077aa08a8 2 bytes JMP 70cd000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077aa0df4 3 bytes JMP 70eb000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077aa0df8 2 bytes JMP 70eb000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077aa0ed8 3 bytes JMP 70d3000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077aa0edc 2 bytes JMP 70d3000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077aa1be4 3 bytes JMP 70e8000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077aa1be8 2 bytes JMP 70e8000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077aa1cb4 3 bytes JMP 70f7000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077aa1cb8 2 bytes JMP 70f7000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077aa1d8c 3 bytes JMP 70f4000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077aa1d90 2 bytes JMP 70f4000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ac1287 6 bytes JMP 71a8000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cd1f0e 7 bytes JMP 0000000174fd4b10 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cd5bad 7 bytes JMP 0000000174fd54b0 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ce1409 7 bytes JMP 0000000174fd4e50 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ce3bbb 3 bytes JMP 719c000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ce3bbf 2 bytes JMP 719c000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076ceea45 7 bytes JMP 0000000174fd4b00 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d78e24 7 bytes JMP 0000000174fd45c0 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d78ea9 5 bytes JMP 0000000174fd4670 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d791ff 5 bytes JMP 0000000174fd45d0 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007551f784 6 bytes JMP 719f000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075521d29 5 bytes JMP 0000000174fd4580 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075521dd7 5 bytes JMP 0000000174fd4540 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075522ab1 5 bytes JMP 0000000174fd4680 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075522c9e 4 bytes CALL 71ac0000 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075522d17 5 bytes JMP 0000000174fd4360 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075998332 6 bytes JMP 716c000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075998a29 5 bytes JMP 0000000174fd3a40 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075998bff 6 bytes JMP 7160000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759990d3 6 bytes JMP 711b000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075999679 6 bytes JMP 715a000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759997d2 6 bytes JMP 7154000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007599ee09 6 bytes JMP 7172000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007599efc9 3 bytes JMP 7121000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007599efcd 2 bytes JMP 7121000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759a12a5 6 bytes JMP 7166000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759a291f 6 bytes JMP 7139000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetParent 00000000759a2d64 3 bytes JMP 7130000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759a2d68 2 bytes JMP 7130000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759a2da4 6 bytes JMP 7118000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759a3698 3 bytes JMP 712d000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759a369c 2 bytes JMP 712d000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759a3baa 6 bytes JMP 7169000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759a3c61 6 bytes JMP 7163000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759a4572 5 bytes JMP 0000000174fd42e0 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759a6110 6 bytes JMP 716f000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759a612e 6 bytes JMP 715d000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759a6c30 6 bytes JMP 711e000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759a7603 6 bytes JMP 7175000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759a7668 6 bytes JMP 7148000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759a76e0 6 bytes JMP 714e000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759a781f 6 bytes JMP 7157000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759a835c 6 bytes JMP 7178000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ac4b6 3 bytes JMP 712a000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ac4ba 2 bytes JMP 712a000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759bc112 6 bytes JMP 7145000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759bd0f5 6 bytes JMP 7142000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759be567 5 bytes JMP 0000000174fd4350 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759beb96 6 bytes JMP 7136000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759bec68 3 bytes JMP 713c000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759bec6c 2 bytes JMP 713c000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendInput 00000000759bff4a 3 bytes JMP 713f000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759bff4e 2 bytes JMP 713f000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000759d9f1d 6 bytes JMP 7124000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000759e07d7 5 bytes JMP 0000000174fd3850 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000759e1497 6 bytes JMP 7115000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!mouse_event 00000000759f027b 6 bytes JMP 717b000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!keybd_event 00000000759f02bf 6 bytes JMP 717e000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000759f6cfc 6 bytes JMP 7151000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000759f6d5d 6 bytes JMP 714b000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000759f7a5c 5 bytes JMP 0000000174fd42d0 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!BlockInput 00000000759f7dd7 3 bytes JMP 7127000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000759f7ddb 2 bytes JMP 7127000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000759f88eb 3 bytes JMP 7133000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000759f88ef 2 bytes JMP 7133000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075d758b3 6 bytes JMP 7190000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075d75ea6 6 bytes JMP 718a000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075d77bcc 6 bytes JMP 7199000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075d7b895 6 bytes JMP 7181000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075d7c332 6 bytes JMP 7187000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075d7cbfb 6 bytes JMP 7193000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075d7e743 6 bytes JMP 7196000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d8e96b 5 bytes JMP 0000000174fd3b60 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d8eba5 5 bytes JMP 0000000174fd3b80 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075da4857 6 bytes JMP 7184000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007543124e 6 bytes JMP 718d000a .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 76cfb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 76cfb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 76d78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 76cd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 76d787a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 76d78978 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 76d78698 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 76d78a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 76cefca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76cf68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 76d78f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 76d78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 76d7865c C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 76cefd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 76cfb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 76d78e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\wojtek\Desktop\pcfix\Gmer\51fix0vs.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 76d785f1 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef823741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8235f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8235674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8235e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8237f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8236a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8236ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8237b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8237ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef82378b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8234fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8235d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2396] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8237584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c80935b8aaa Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 17789 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4c80935b8aaa (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----