GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-20 03:35:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-5 SAMSUNG_HD080HJ rev.ZH100-41 74,53GB Running: 7uetjh8p.exe; Driver: C:\Users\g6r\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711dc60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711de60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[916] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes JMP 300c6 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes JMP 95e21a8 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes JMP 5a9efc0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes JMP 681 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes JMP 200 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes JMP b700b7 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes JMP 9056f48 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes JMP 380046 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes JMP 64ca5c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\System32\SspiCli.dll!EncryptMessage 0000000000e750a0 6 bytes {JMP QWORD [RIP+0x15af90]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes JMP 61004c .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes {JMP QWORD [RIP+0x913e7c0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes {JMP QWORD [RIP+0x9092470]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes {JMP QWORD [RIP+0x9060b30]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes {JMP QWORD [RIP+0x90a0b00]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes {JMP QWORD [RIP+0x9040930]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes {JMP QWORD [RIP+0x907ab60]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd293e80 6 bytes {JMP QWORD [RIP+0x1ac1b0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e250a0 6 bytes {JMP QWORD [RIP+0x9af90]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[1252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\System32\svchost.exe[1472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes JMP 6c .text C:\Windows\System32\svchost.exe[1472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\taskhost.exe[3032] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024a50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe3c22cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe3c24c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe3c5bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe3c8388 6 bytes {JMP QWORD [RIP+0x257ca8]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe3c89c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe3c9334 6 bytes {JMP QWORD [RIP+0x276cfc]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe3cb9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\Dwm.exe[1880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe3cc8d0 6 bytes {JMP QWORD [RIP+0x2f3760]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes {JMP QWORD [RIP+0x913e7c0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes {JMP QWORD [RIP+0x9092470]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes {JMP QWORD [RIP+0x9060b30]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes {JMP QWORD [RIP+0x90a0b00]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes {JMP QWORD [RIP+0x9040930]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes {JMP QWORD [RIP+0x907ab60]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0E] .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 09] .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe3c22cc 6 bytes {JMP QWORD [RIP+0x103dd64]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe3c24c0 6 bytes {JMP QWORD [RIP+0x109db70]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe3c5bf0 6 bytes {JMP QWORD [RIP+0x10ba440]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe3c8388 6 bytes {JMP QWORD [RIP+0xfe7ca8]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe3c89c8 6 bytes {JMP QWORD [RIP+0xfc7668]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe3c9334 6 bytes {JMP QWORD [RIP+0x1006cfc]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe3cb9e8 6 bytes {JMP QWORD [RIP+0x10f4648]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe3cc8d0 6 bytes {JMP QWORD [RIP+0x10d3760]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9589140]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9667eac]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x95a7b00]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96a5590]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 6 bytes {JMP QWORD [RIP+0x95c5560]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9563910]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96432e0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x9680b20]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x953b020]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96117bc]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95d08b0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9507620]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x94e7360]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x95e52d0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x967eb50]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe639190 5 bytes [FF, 25, A0, 6E, E0] .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe8523e0 6 bytes {JMP QWORD [RIP+0xbcdc50]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes {JMP QWORD [RIP+0x3f8ba0]} .text C:\Windows\Explorer.EXE[2604] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefcc550a0 6 bytes JMP 9b3 .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\SearchIndexer.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes {JMP QWORD [RIP+0x913e7c0]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes {JMP QWORD [RIP+0x9092470]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes {JMP QWORD [RIP+0x9060b30]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes {JMP QWORD [RIP+0x90a0b00]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes {JMP QWORD [RIP+0x9040930]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes {JMP QWORD [RIP+0x907ab60]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9589140]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9667eac]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x95a7b00]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96a5590]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 6 bytes {JMP QWORD [RIP+0x95c5560]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9563910]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96432e0]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x9680b20]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x953b020]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96117bc]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95d08b0]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9507620]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x94e7360]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x95e52d0]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x967eb50]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe3c22cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe3c24c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe3c5bf0 6 bytes JMP 17c0055 C:\Windows\system32\SHELL32.dll .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe3c8388 6 bytes {JMP QWORD [RIP+0x257ca8]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe3c89c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe3c9334 6 bytes {JMP QWORD [RIP+0x276cfc]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe3cb9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\System32\svchost.exe[3796] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe3cc8d0 6 bytes {JMP QWORD [RIP+0x2f3760]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\servicing\TrustedInstaller.exe[16160] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes {JMP QWORD [RIP+0x913e7c0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes {JMP QWORD [RIP+0x9092470]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes {JMP QWORD [RIP+0x9060b30]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes {JMP QWORD [RIP+0x90a0b00]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes {JMP QWORD [RIP+0x9040930]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes {JMP QWORD [RIP+0x907ab60]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0B] .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe3c22cc 6 bytes {JMP QWORD [RIP+0x104dd64]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe3c24c0 6 bytes {JMP QWORD [RIP+0x10adb70]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe3c5bf0 6 bytes {JMP QWORD [RIP+0x10ca440]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe3c8388 6 bytes {JMP QWORD [RIP+0xfe7ca8]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe3c89c8 6 bytes {JMP QWORD [RIP+0xfc7668]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe3c9334 6 bytes {JMP QWORD [RIP+0x1016cfc]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe3cb9e8 6 bytes {JMP QWORD [RIP+0x1104648]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe3cc8d0 6 bytes {JMP QWORD [RIP+0x10e3760]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe639190 5 bytes [FF, 25, A0, 6E, E1] .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe8523e0 6 bytes {JMP QWORD [RIP+0xbddc50]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes {JMP QWORD [RIP+0x648ba0]} .text C:\Users\g6r\Desktop\FRST64.exe[3832] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000003e450a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes {JMP QWORD [RIP+0x913e7c0]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes {JMP QWORD [RIP+0x9092470]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes {JMP QWORD [RIP+0x9060b30]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes {JMP QWORD [RIP+0x90a0b00]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes {JMP QWORD [RIP+0x9040930]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes {JMP QWORD [RIP+0x907ab60]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe3c22cc 6 bytes {JMP QWORD [RIP+0x103dd64]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe3c24c0 6 bytes {JMP QWORD [RIP+0x109db70]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe3c5bf0 6 bytes {JMP QWORD [RIP+0x10ba440]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe3c8388 6 bytes {JMP QWORD [RIP+0xfe7ca8]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe3c89c8 6 bytes {JMP QWORD [RIP+0xfc7668]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe3c9334 6 bytes {JMP QWORD [RIP+0x1006cfc]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe3cb9e8 6 bytes {JMP QWORD [RIP+0x10f4648]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe3cc8d0 6 bytes {JMP QWORD [RIP+0x10d3760]} .text C:\Windows\system32\notepad.exe[19536] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes {JMP QWORD [RIP+0x3f8ba0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes {JMP QWORD [RIP+0x913e7c0]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes {JMP QWORD [RIP+0x9092470]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes {JMP QWORD [RIP+0x9060b30]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes {JMP QWORD [RIP+0x90a0b00]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes {JMP QWORD [RIP+0x9040930]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes {JMP QWORD [RIP+0x907ab60]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe3c22cc 6 bytes {JMP QWORD [RIP+0x103dd64]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe3c24c0 6 bytes {JMP QWORD [RIP+0x109db70]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe3c5bf0 6 bytes {JMP QWORD [RIP+0x10ba440]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe3c8388 6 bytes {JMP QWORD [RIP+0xfe7ca8]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe3c89c8 6 bytes {JMP QWORD [RIP+0xfc7668]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe3c9334 6 bytes {JMP QWORD [RIP+0x1006cfc]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe3cb9e8 6 bytes {JMP QWORD [RIP+0x10f4648]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe3cc8d0 6 bytes {JMP QWORD [RIP+0x10d3760]} .text C:\Windows\system32\notepad.exe[8444] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3260 6 bytes {JMP QWORD [RIP+0x8f4cdd0]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007711dca0 6 bytes {JMP QWORD [RIP+0x8f02390]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007711dd70 6 bytes {JMP QWORD [RIP+0x97422c0]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711de70 6 bytes {JMP QWORD [RIP+0x95e21c0]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007711dee0 6 bytes {JMP QWORD [RIP+0x96c2150]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711df20 6 bytes {JMP QWORD [RIP+0x9682110]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007711dfc0 6 bytes {JMP QWORD [RIP+0x96e2070]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711e030 6 bytes {JMP QWORD [RIP+0x94e2000]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711e050 6 bytes {JMP QWORD [RIP+0x9661fe0]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711e090 6 bytes {JMP QWORD [RIP+0x9561fa0]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711e0e0 6 bytes {JMP QWORD [RIP+0x9581f50]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007711e100 6 bytes {JMP QWORD [RIP+0x96a1f30]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007711e2f0 6 bytes {JMP QWORD [RIP+0x9781d40]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007711e300 6 bytes {JMP QWORD [RIP+0x94a1d30]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711e400 6 bytes {JMP QWORD [RIP+0x9481c30]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007711e4d0 6 bytes {JMP QWORD [RIP+0x9601b60]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711e510 6 bytes {JMP QWORD [RIP+0x9501b20]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711e580 6 bytes {JMP QWORD [RIP+0x94c1ab0]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007711e5b0 6 bytes {JMP QWORD [RIP+0x9541a80]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711e610 6 bytes {JMP QWORD [RIP+0x9521a20]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007711e620 6 bytes {JMP QWORD [RIP+0x9701a10]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711e630 6 bytes {JMP QWORD [RIP+0x9761a00]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711e9a0 6 bytes {JMP QWORD [RIP+0x9621690]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007711ea30 6 bytes {JMP QWORD [RIP+0x9721600]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711f2a0 6 bytes {JMP QWORD [RIP+0x9640d90]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711f320 6 bytes {JMP QWORD [RIP+0x95a0d10]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711f3a0 6 bytes {JMP QWORD [RIP+0x95c0c90]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1870 6 bytes {JMP QWORD [RIP+0x913e7c0]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdbc0 6 bytes {JMP QWORD [RIP+0x9092470]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f500 6 bytes {JMP QWORD [RIP+0x9060b30]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f530 6 bytes {JMP QWORD [RIP+0x90a0b00]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f700 6 bytes {JMP QWORD [RIP+0x9040930]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770454d0 6 bytes {JMP QWORD [RIP+0x907ab60]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefced4c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceda6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe3c22cc 6 bytes {JMP QWORD [RIP+0x103dd64]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe3c24c0 6 bytes {JMP QWORD [RIP+0x109db70]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe3c5bf0 6 bytes {JMP QWORD [RIP+0x10ba440]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe3c8388 6 bytes {JMP QWORD [RIP+0xfe7ca8]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe3c89c8 6 bytes {JMP QWORD [RIP+0xfc7668]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe3c9334 6 bytes {JMP QWORD [RIP+0x1006cfc]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe3cb9e8 6 bytes {JMP QWORD [RIP+0x10f4648]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe3cc8d0 6 bytes {JMP QWORD [RIP+0x10d3760]} .text C:\Windows\system32\notepad.exe[18688] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd997490 6 bytes {JMP QWORD [RIP+0x3f8ba0]} .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cfa2c 3 bytes JMP 71af000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772cfa30 2 bytes JMP 71af000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb74 3 bytes JMP 70be000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000772cfb78 2 bytes JMP 70be000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcfc 3 bytes JMP 70df000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772cfd00 2 bytes JMP 70df000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772cfdb0 3 bytes JMP 70ca000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772cfdb4 2 bytes JMP 70ca000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfe14 3 bytes JMP 70d0000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772cfe18 2 bytes JMP 70d0000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772cff0c 3 bytes JMP 70c7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772cff10 2 bytes JMP 70c7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772cffc0 3 bytes JMP 70f7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000772cffc4 2 bytes JMP 70f7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cfff0 3 bytes JMP 70d3000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772cfff4 2 bytes JMP 70d3000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0050 3 bytes JMP 70eb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772d0054 2 bytes JMP 70eb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772d00d0 3 bytes JMP 70e8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772d00d4 2 bytes JMP 70e8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d0100 3 bytes JMP 70cd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772d0104 2 bytes JMP 70cd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772d0404 3 bytes JMP 70b8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772d0408 2 bytes JMP 70b8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772d041c 3 bytes JMP 70fd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000772d0420 2 bytes JMP 70fd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d059c 3 bytes JMP 7100000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772d05a0 2 bytes JMP 7100000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772d06e0 3 bytes JMP 70dc000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772d06e4 2 bytes JMP 70dc000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000772d0740 3 bytes JMP 70f4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000772d0744 2 bytes JMP 70f4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d07e8 3 bytes JMP 70fa000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000772d07ec 2 bytes JMP 70fa000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772d0830 3 bytes JMP 70ee000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000772d0834 2 bytes JMP 70ee000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772d08c0 3 bytes JMP 70f1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000772d08c4 2 bytes JMP 70f1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d08d8 3 bytes JMP 70c4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772d08dc 2 bytes JMP 70c4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08f0 3 bytes JMP 70bb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772d08f4 2 bytes JMP 70bb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0e40 3 bytes JMP 70d9000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772d0e44 2 bytes JMP 70d9000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772d0f24 3 bytes JMP 70c1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772d0f28 2 bytes JMP 70c1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1c30 3 bytes JMP 70d6000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772d1c34 2 bytes JMP 70d6000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772d1d00 3 bytes JMP 70e5000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772d1d04 2 bytes JMP 70e5000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1dd8 3 bytes JMP 70e2000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772d1ddc 2 bytes JMP 70e2000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772f3bfb 6 bytes JMP 71a8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754d3bab 3 bytes JMP 719c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754d3baf 2 bytes JMP 719c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754d9aa4 6 bytes JMP 7184000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754e3b62 6 bytes JMP 717b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754eccd1 6 bytes JMP 7187000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007553dc3e 6 bytes JMP 7181000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007553dce1 6 bytes JMP 717e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074d2f784 6 bytes JMP 719f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074d32c9e 4 bytes CALL 71ac0000 .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000074db8332 6 bytes JMP 715a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000074db8bff 6 bytes JMP 714e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000074db90d3 6 bytes JMP 7109000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000074db9679 6 bytes JMP 7148000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000074db97d2 6 bytes JMP 7142000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074dbee09 6 bytes JMP 7160000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000074dbefc9 3 bytes JMP 710f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000074dbefcd 2 bytes JMP 710f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074dc12a5 6 bytes JMP 7154000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000074dc291f 6 bytes JMP 7127000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetParent 0000000074dc2d64 3 bytes JMP 711e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000074dc2d68 2 bytes JMP 711e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074dc2da4 6 bytes JMP 7106000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000074dc3698 3 bytes JMP 711b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000074dc369c 2 bytes JMP 711b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074dc3baa 6 bytes JMP 7157000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000074dc3c61 6 bytes JMP 7151000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000074dc6110 6 bytes JMP 715d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000074dc612e 6 bytes JMP 714b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000074dc6c30 6 bytes JMP 710c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074dc7603 6 bytes JMP 7163000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000074dc7668 6 bytes JMP 7136000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000074dc76e0 6 bytes JMP 713c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000074dc781f 6 bytes JMP 7145000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074dc835c 6 bytes JMP 7166000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000074dcc4b6 3 bytes JMP 7118000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000074dcc4ba 2 bytes JMP 7118000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000074ddc112 6 bytes JMP 7133000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000074ddd0f5 6 bytes JMP 7130000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000074ddeb96 6 bytes JMP 7124000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000074ddec68 3 bytes JMP 712a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000074ddec6c 2 bytes JMP 712a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendInput 0000000074ddff4a 3 bytes JMP 712d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000074ddff4e 2 bytes JMP 712d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000074df9f1d 6 bytes JMP 7112000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000074e01497 6 bytes JMP 7103000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!mouse_event 0000000074e1027b 6 bytes JMP 7169000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!keybd_event 0000000074e102bf 6 bytes JMP 716c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000074e16cfc 6 bytes JMP 713f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000074e16d5d 6 bytes JMP 7139000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!BlockInput 0000000074e17dd7 3 bytes JMP 7115000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000074e17ddb 2 bytes JMP 7115000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000074e188eb 3 bytes JMP 7121000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000074e188ef 2 bytes JMP 7121000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757658b3 6 bytes JMP 718d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075765ea6 6 bytes JMP 7178000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075767bcc 6 bytes JMP 7196000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007576b895 6 bytes JMP 716f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007576c332 6 bytes JMP 7175000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007576cbfb 6 bytes JMP 7190000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007576e743 6 bytes JMP 7193000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075794857 6 bytes JMP 7172000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c5124e 6 bytes JMP 718a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076849d0b 6 bytes JMP 7199000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754a1401 2 bytes JMP 754eb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754a1419 2 bytes JMP 754eb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754a1431 2 bytes JMP 75568f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754a144a 2 bytes CALL 754c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754a14dd 2 bytes JMP 75568822 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754a14f5 2 bytes JMP 755689f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754a150d 2 bytes JMP 75568718 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754a1525 2 bytes JMP 75568ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754a153d 2 bytes JMP 754dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754a1555 2 bytes JMP 754e68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754a156d 2 bytes JMP 75568fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754a1585 2 bytes JMP 75568b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754a159d 2 bytes JMP 755686dc C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754a15b5 2 bytes JMP 754dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754a15cd 2 bytes JMP 754eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754a16b2 2 bytes JMP 75568ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[19168] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754a16bd 2 bytes JMP 75568671 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\AUDIODG.EXE [3564:4472] 000007fef9f87acc ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----