GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-21 17:32:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-7 SAMSUNG_HD080HJ rev.ZH100-41 74,53GB Running: 7uetjh8p.exe; Driver: C:\Users\g6r\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007739dc60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007739de60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007739dc60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007739de60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\services.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\services.exe[520] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefced50a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\lsass.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\svchost.exe[712] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000e350a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\System32\svchost.exe[996] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes JMP d672d672 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes JMP 30003 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes JMP 7288831 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes JMP 9000b .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes JMP 7c97278 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes JMP 30005 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes JMP 9002f .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes JMP 94962f0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes JMP 12881 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes JMP 680 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes JMP d643d643 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes JMP 8b9a348 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes JMP 7316621 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes JMP 8fb3278 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes JMP 82027e1 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes JMP 8577ea8 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes JMP 73294a9 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes JMP 986aa88 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes JMP 4 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes JMP 62b3820 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes JMP 73cc7c1 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes JMP 94a15da .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes JMP 2d7480 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes JMP 16480 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes JMP 73163c1 .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes JMP 8ebe7aa .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes JMP 41dc00 .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes JMP 65a2d09 .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes JMP 80009 .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[244] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd7c3e80 6 bytes {JMP QWORD [RIP+0x1ec1b0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e450a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4d22cc 6 bytes {JMP QWORD [RIP+0x4ddd64]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4d24c0 6 bytes {JMP QWORD [RIP+0x4fdb70]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd4d5bf0 6 bytes {JMP QWORD [RIP+0x51a440]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4d8388 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4d89c8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd4d9334 6 bytes {JMP QWORD [RIP+0x4b6cfc]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd4db9e8 6 bytes {JMP QWORD [RIP+0x554648]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd4dc8d0 6 bytes {JMP QWORD [RIP+0x533760]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077136ef0 6 bytes {JMP QWORD [RIP+0x9309140]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077138184 6 bytes {JMP QWORD [RIP+0x93e7eac]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SetParent 0000000077138530 6 bytes {JMP QWORD [RIP+0x9327b00]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077139bcc 6 bytes {JMP QWORD [RIP+0x9086464]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!PostMessageA 000000007713a404 6 bytes {JMP QWORD [RIP+0x90c5c2c]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!EnableWindow 000000007713aaa0 6 bytes {JMP QWORD [RIP+0x9425590]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!MoveWindow 000000007713aad0 6 bytes {JMP QWORD [RIP+0x9345560]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007713c720 6 bytes {JMP QWORD [RIP+0x92e3910]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007713cd50 6 bytes {JMP QWORD [RIP+0x93c32e0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007713d2b0 6 bytes {JMP QWORD [RIP+0x9102d80]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendMessageA 000000007713d338 6 bytes {JMP QWORD [RIP+0x9142cf8]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007713dc40 6 bytes {JMP QWORD [RIP+0x92223f0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007713f510 6 bytes {JMP QWORD [RIP+0x9400b20]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007713f874 6 bytes {JMP QWORD [RIP+0x90407bc]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007713fac0 6 bytes {JMP QWORD [RIP+0x91a0570]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077140b74 6 bytes {JMP QWORD [RIP+0x911f4bc]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000771433b0 6 bytes {JMP QWORD [RIP+0x909cc80]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077144d4d 5 bytes {JMP QWORD [RIP+0x905b2e4]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!GetKeyState 0000000077145010 6 bytes {JMP QWORD [RIP+0x92bb020]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077145438 6 bytes {JMP QWORD [RIP+0x91dabf8]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendMessageW 0000000077146b50 6 bytes {JMP QWORD [RIP+0x91594e0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!PostMessageW 00000000771476e4 6 bytes {JMP QWORD [RIP+0x90d894c]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007714dd90 6 bytes {JMP QWORD [RIP+0x92522a0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!GetClipboardData 000000007714e874 6 bytes {JMP QWORD [RIP+0x93917bc]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007714f780 6 bytes {JMP QWORD [RIP+0x93508b0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000771528e4 6 bytes {JMP QWORD [RIP+0x91ed74c]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!mouse_event 0000000077153894 6 bytes {JMP QWORD [RIP+0x8fec79c]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077158a10 6 bytes {JMP QWORD [RIP+0x9287620]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077158be0 6 bytes {JMP QWORD [RIP+0x9167450]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077158c20 6 bytes {JMP QWORD [RIP+0x9007410]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendInput 0000000077158cd0 6 bytes {JMP QWORD [RIP+0x9267360]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!BlockInput 000000007715ad60 6 bytes {JMP QWORD [RIP+0x93652d0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000771814e0 6 bytes {JMP QWORD [RIP+0x93feb50]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!keybd_event 00000000771a45a4 6 bytes {JMP QWORD [RIP+0x8f7ba8c]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000771acc08 6 bytes {JMP QWORD [RIP+0x91d3428]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000771adf18 6 bytes {JMP QWORD [RIP+0x9152118]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe489190 5 bytes [FF, 25, A0, 6E, E3] .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe6a23e0 6 bytes {JMP QWORD [RIP+0xbfdc50]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x1038ba0]} .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefced50a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\System32\svchost.exe[1628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[1628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[1628] C:\Windows\System32\SspiCli.dll!EncryptMessage 00000000010450a0 6 bytes JMP 0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007754fa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007754fa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007754fb74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007754fb78 2 bytes [B7, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007754fcfc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007754fd00 2 bytes [D8, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007754fdb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007754fdb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007754fe14 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007754fe18 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007754ff0c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007754ff10 2 bytes [C0, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007754ffc0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007754ffc4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007754fff0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007754fff4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077550050 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077550054 2 bytes [E4, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775500d0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775500d4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077550100 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077550104 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077550404 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077550408 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 000000007755041c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077550420 2 bytes [F6, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 000000007755059c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775505a0 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775506e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775506e4 2 bytes [D5, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077550740 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077550744 2 bytes [ED, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775507e8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775507ec 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077550830 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077550834 2 bytes [E7, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775508c0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775508c4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775508d8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775508dc 2 bytes [BD, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775508f0 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775508f4 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077550e40 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077550e44 2 bytes [D2, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077550f24 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077550f28 2 bytes [BA, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077551c30 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077551c34 2 bytes [CF, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077551d00 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077551d04 2 bytes [DE, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077551dd8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077551ddc 2 bytes [DB, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077573bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075de3bab 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075de3baf 2 bytes [9B, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075de9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075df3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075dfccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075e4dc3e 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1788] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075e4dce1 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075de3bab 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1608] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075de3baf 2 bytes [9B, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1608] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075de9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1608] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075df3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1608] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075dfccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1608] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075e4dc3e 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1608] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075e4dce1 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007754fa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007754fa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007754fb74 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007754fb78 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007754fcfc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007754fd00 2 bytes [D8, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007754fdb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007754fdb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007754fe14 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007754fe18 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007754ff0c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007754ff10 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007754ffc0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007754ffc4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007754fff0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007754fff4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077550050 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077550054 2 bytes [E4, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775500d0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775500d4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077550100 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077550104 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077550404 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077550408 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 000000007755041c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077550420 2 bytes [F6, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 000000007755059c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775505a0 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775506e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775506e4 2 bytes [D5, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077550740 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077550744 2 bytes [ED, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775507e8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775507ec 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077550830 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077550834 2 bytes [E7, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775508c0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775508c4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775508d8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775508dc 2 bytes [BD, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775508f0 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775508f4 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077550e40 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077550e44 2 bytes [D2, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077550f24 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077550f28 2 bytes [BA, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077551c30 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077551c34 2 bytes [CF, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077551d00 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077551d04 2 bytes [DE, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077551dd8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077551ddc 2 bytes [DB, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077573bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075de3bab 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075de3baf 2 bytes [9B, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075de9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075df3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075dfccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075e4dc3e 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075e4dce1 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000770ef784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000770f2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075ad8332 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075ad8bff 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075ad90d3 6 bytes JMP 7103000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075ad9679 6 bytes JMP 7142000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075ad97d2 6 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075adee09 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075adefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075adefcd 2 bytes [08, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ae12a5 6 bytes JMP 714e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ae291f 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ae2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ae2d68 2 bytes [17, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ae2da4 6 bytes {JMP QWORD [RIP+0x70ff001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ae3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ae369c 2 bytes [14, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ae3baa 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ae3c61 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075ae6110 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ae612e 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ae6c30 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ae7603 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ae7668 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ae76e0 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ae781f 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ae835c 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075aec4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075aec4ba 2 bytes [11, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075afc112 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075afd0f5 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075afeb96 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075afec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075afec6c 2 bytes [23, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendInput 0000000075afff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075afff4e 2 bytes [26, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b19f1d 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b21497 6 bytes {JMP QWORD [RIP+0x70fc001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b3027b 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b302bf 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b36cfc 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b36d5d 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b37dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b37ddb 2 bytes [0E, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b388eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b388ef 2 bytes [1A, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075f39708 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2180] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007613b901 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\SearchIndexer.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes JMP 875ff56 .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes JMP 65636170 .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\System32\svchost.exe[204] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[204] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[204] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[204] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000029750a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes CALL 3000025 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd4d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4d8388 6 bytes {JMP QWORD [RIP+0xa7ca8]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4d89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd4d9334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd4db9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd4dc8d0 6 bytes {JMP QWORD [RIP+0x143760]} .text C:\Windows\system32\taskhost.exe[648] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024550a0 6 bytes {JMP QWORD [RIP+0xcaf90]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefd4d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!BitBlt 000007fefd4d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefd4d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefd4d8388 6 bytes {JMP QWORD [RIP+0xa7ca8]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefd4d89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!GetPixel 000007fefd4d9334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefd4db9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefd4dc8d0 6 bytes {JMP QWORD [RIP+0x143760]} .text C:\Windows\system32\AUDIODG.EXE[3744] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4d24c0 6 bytes JMP 1000c .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd4d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4d8388 6 bytes {JMP QWORD [RIP+0xa7ca8]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4d89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd4d9334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd4db9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd4dc8d0 6 bytes {JMP QWORD [RIP+0x143760]} .text C:\Windows\System32\svchost.exe[1980] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4d22cc 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4d24c0 6 bytes JMP 4400431 .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd4d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4d8388 6 bytes {JMP QWORD [RIP+0xa7ca8]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4d89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd4d9334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd4db9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd4dc8d0 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[2308] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x1038ba0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd4d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4d8388 6 bytes {JMP QWORD [RIP+0xa7ca8]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4d89c8 6 bytes JMP 720065 .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd4d9334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd4db9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd4dc8d0 6 bytes {JMP QWORD [RIP+0x143760]} .text C:\Windows\system32\notepad.exe[4040] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x1038ba0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077373260 6 bytes {JMP QWORD [RIP+0x8cccdd0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007739dca0 6 bytes {JMP QWORD [RIP+0x8c82390]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007739dd70 6 bytes {JMP QWORD [RIP+0x94c22c0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007739de70 6 bytes {JMP QWORD [RIP+0x93621c0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739dee0 6 bytes {JMP QWORD [RIP+0x9442150]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007739df20 6 bytes {JMP QWORD [RIP+0x9402110]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007739dfc0 6 bytes {JMP QWORD [RIP+0x9462070]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007739e030 6 bytes {JMP QWORD [RIP+0x9262000]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007739e050 6 bytes {JMP QWORD [RIP+0x93e1fe0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007739e090 6 bytes {JMP QWORD [RIP+0x92e1fa0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007739e0e0 6 bytes {JMP QWORD [RIP+0x9301f50]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739e100 6 bytes {JMP QWORD [RIP+0x9421f30]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007739e2f0 6 bytes {JMP QWORD [RIP+0x9501d40]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007739e300 6 bytes {JMP QWORD [RIP+0x9221d30]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007739e400 6 bytes {JMP QWORD [RIP+0x9201c30]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007739e4d0 6 bytes {JMP QWORD [RIP+0x9381b60]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007739e510 6 bytes {JMP QWORD [RIP+0x9281b20]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007739e580 6 bytes {JMP QWORD [RIP+0x9241ab0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007739e5b0 6 bytes {JMP QWORD [RIP+0x92c1a80]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007739e610 6 bytes {JMP QWORD [RIP+0x92a1a20]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007739e620 6 bytes {JMP QWORD [RIP+0x9481a10]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007739e630 6 bytes {JMP QWORD [RIP+0x94e1a00]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007739e9a0 6 bytes {JMP QWORD [RIP+0x93a1690]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007739ea30 6 bytes {JMP QWORD [RIP+0x94a1600]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007739f2a0 6 bytes {JMP QWORD [RIP+0x93c0d90]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007739f320 6 bytes {JMP QWORD [RIP+0x9320d10]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007739f3a0 6 bytes {JMP QWORD [RIP+0x9340c90]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077241870 6 bytes {JMP QWORD [RIP+0x8ebe7c0]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724dbc0 6 bytes {JMP QWORD [RIP+0x8e12470]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772bf500 6 bytes {JMP QWORD [RIP+0x8de0b30]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000772bf530 6 bytes {JMP QWORD [RIP+0x8e20b00]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000772bf700 6 bytes {JMP QWORD [RIP+0x8dc0930]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000772c54d0 6 bytes {JMP QWORD [RIP+0x8dfab60]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd154c30 5 bytes [FF, 25, 00, B4, 0A] .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd15a6f5 3 bytes [15, 59, 05] .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd4d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4d8388 6 bytes {JMP QWORD [RIP+0xa7ca8]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4d89c8 6 bytes JMP 720065 .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd4d9334 6 bytes {JMP QWORD [RIP+0xc6cfc]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd4db9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd4dc8d0 6 bytes {JMP QWORD [RIP+0x143760]} .text C:\Windows\system32\notepad.exe[2792] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe247490 6 bytes {JMP QWORD [RIP+0x1038ba0]} .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007754fa2c 3 bytes JMP 71af000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007754fa30 2 bytes JMP 71af000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007754fb74 3 bytes JMP 70be000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007754fb78 2 bytes JMP 70be000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007754fcfc 3 bytes JMP 70df000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007754fd00 2 bytes JMP 70df000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007754fdb0 3 bytes JMP 70ca000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007754fdb4 2 bytes JMP 70ca000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007754fe14 3 bytes JMP 70d0000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007754fe18 2 bytes JMP 70d0000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007754ff0c 3 bytes JMP 70c7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007754ff10 2 bytes JMP 70c7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007754ffc0 3 bytes JMP 70f7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007754ffc4 2 bytes JMP 70f7000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007754fff0 3 bytes JMP 70d3000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007754fff4 2 bytes JMP 70d3000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077550050 3 bytes JMP 70eb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077550054 2 bytes JMP 70eb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775500d0 3 bytes JMP 70e8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775500d4 2 bytes JMP 70e8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077550100 3 bytes JMP 70cd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077550104 2 bytes JMP 70cd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077550404 3 bytes JMP 70b8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077550408 2 bytes JMP 70b8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 000000007755041c 3 bytes JMP 70fd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077550420 2 bytes JMP 70fd000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 000000007755059c 3 bytes JMP 7100000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775505a0 2 bytes JMP 7100000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775506e0 3 bytes JMP 70dc000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775506e4 2 bytes JMP 70dc000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077550740 3 bytes JMP 70f4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077550744 2 bytes JMP 70f4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775507e8 3 bytes JMP 70fa000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775507ec 2 bytes JMP 70fa000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077550830 3 bytes JMP 70ee000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077550834 2 bytes JMP 70ee000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775508c0 3 bytes JMP 70f1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775508c4 2 bytes JMP 70f1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775508d8 3 bytes JMP 70c4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775508dc 2 bytes JMP 70c4000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775508f0 3 bytes JMP 70bb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775508f4 2 bytes JMP 70bb000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077550e40 3 bytes JMP 70d9000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077550e44 2 bytes JMP 70d9000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077550f24 3 bytes JMP 70c1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077550f28 2 bytes JMP 70c1000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077551c30 3 bytes JMP 70d6000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077551c34 2 bytes JMP 70d6000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077551d00 3 bytes JMP 70e5000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077551d04 2 bytes JMP 70e5000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077551dd8 3 bytes JMP 70e2000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077551ddc 2 bytes JMP 70e2000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077573bfb 6 bytes JMP 71a8000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075de3bab 3 bytes JMP 719c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075de3baf 2 bytes JMP 719c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075de9aa4 6 bytes JMP 7184000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075df3b62 6 bytes JMP 717b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075dfccd1 6 bytes JMP 7187000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075e4dc3e 6 bytes JMP 7181000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075e4dce1 6 bytes JMP 717e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000770ef784 6 bytes JMP 719f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000770f2c9e 4 bytes CALL 71ac0000 .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075ad8332 6 bytes JMP 715a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075ad8bff 6 bytes JMP 714e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075ad90d3 6 bytes JMP 7109000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075ad9679 6 bytes JMP 7148000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075ad97d2 6 bytes JMP 7142000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075adee09 6 bytes JMP 7160000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075adefc9 3 bytes JMP 710f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075adefcd 2 bytes JMP 710f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ae12a5 6 bytes JMP 7154000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ae291f 6 bytes JMP 7127000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ae2d64 3 bytes JMP 711e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ae2d68 2 bytes JMP 711e000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ae2da4 6 bytes JMP 7106000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ae3698 3 bytes JMP 711b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ae369c 2 bytes JMP 711b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ae3baa 6 bytes JMP 7157000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ae3c61 6 bytes JMP 7151000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075ae6110 6 bytes JMP 715d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ae612e 6 bytes JMP 714b000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ae6c30 6 bytes JMP 710c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ae7603 6 bytes JMP 7163000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ae7668 6 bytes JMP 7136000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ae76e0 6 bytes JMP 713c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ae781f 6 bytes JMP 7145000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ae835c 6 bytes JMP 7166000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075aec4b6 3 bytes JMP 7118000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075aec4ba 2 bytes JMP 7118000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075afc112 6 bytes JMP 7133000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075afd0f5 6 bytes JMP 7130000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075afeb96 6 bytes JMP 7124000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075afec68 3 bytes JMP 712a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075afec6c 2 bytes JMP 712a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendInput 0000000075afff4a 3 bytes JMP 712d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075afff4e 2 bytes JMP 712d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b19f1d 6 bytes JMP 7112000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b21497 6 bytes JMP 7103000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b3027b 6 bytes JMP 7169000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b302bf 6 bytes JMP 716c000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b36cfc 6 bytes JMP 713f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b36d5d 6 bytes JMP 7139000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b37dd7 3 bytes JMP 7115000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b37ddb 2 bytes JMP 7115000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b388eb 3 bytes JMP 7121000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b388ef 2 bytes JMP 7121000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752f58b3 6 bytes JMP 718d000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000752f5ea6 6 bytes JMP 7178000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000752f7bcc 6 bytes JMP 7196000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000752fb895 6 bytes JMP 716f000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000752fc332 6 bytes JMP 7175000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000752fcbfb 6 bytes JMP 7190000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000752fe743 6 bytes JMP 7193000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075324857 6 bytes JMP 7172000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074ed124e 6 bytes JMP 718a000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000750a9d0b 6 bytes JMP 7199000a .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a81401 2 bytes JMP 75dfb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a81419 2 bytes JMP 75dfb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a81431 2 bytes JMP 75e78f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a8144a 2 bytes CALL 75dd489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a814dd 2 bytes JMP 75e78822 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a814f5 2 bytes JMP 75e789f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a8150d 2 bytes JMP 75e78718 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a81525 2 bytes JMP 75e78ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a8153d 2 bytes JMP 75defca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a81555 2 bytes JMP 75df68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a8156d 2 bytes JMP 75e78fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a81585 2 bytes JMP 75e78b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a8159d 2 bytes JMP 75e786dc C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a815b5 2 bytes JMP 75defd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a815cd 2 bytes JMP 75dfb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a816b2 2 bytes JMP 75e78ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\g6r\Downloads\7uetjh8p.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a816bd 2 bytes JMP 75e78671 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----