GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-16 23:54:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: one05i4e.exe; Driver: C:\Users\muun\AppData\Local\Temp\kftciaod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000001497e0450 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000001497e0370 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000001497e03e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000001497e0320 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000001497e03b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000001497e0390 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000001497e02e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000001497e02d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000001497e0310 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000001497e03c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000001497e03f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000001497e0230 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000001497e03a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000001497e02f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000001497e0350 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000001497e0290 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000001497e02b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000001497e03d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000001497e0330 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000001497e0410 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000001497e0240 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000001497e01e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000001497e0250 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000001497e0490 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000001497e04a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000001497e0300 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000001497e0360 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000001497e02a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000001497e02c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000001497e0380 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000001497e0340 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000001497e0440 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000001497e0260 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000001497e0270 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000001497e0400 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000001497e01f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000001497e0210 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000001497e0200 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000001497e0420 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000001497e0430 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000001497e0220 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000001497e0280 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000001497e0450 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000001497e0370 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000001497e03e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000001497e0320 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000001497e03b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000001497e0390 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000001497e02e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000001497e02d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000001497e0310 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000001497e03c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000001497e03f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000001497e0230 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000001497e03a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000001497e02f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000001497e0350 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000001497e0290 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000001497e02b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000001497e03d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000001497e0330 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000001497e0410 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000001497e0240 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000001497e01e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000001497e0250 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000001497e0490 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000001497e04a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000001497e0300 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000001497e0360 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000001497e02a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000001497e02c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000001497e0380 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000001497e0340 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000001497e0440 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000001497e0260 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000001497e0270 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000001497e0400 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000001497e01f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000001497e0210 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000001497e0200 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000001497e0420 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000001497e0430 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000001497e0220 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000001497e0280 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\wininit.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\winlogon.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\services.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[644] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde93e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3950a0 6 bytes JMP 9b3 .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077716ef0 6 bytes {JMP QWORD [RIP+0x8d29140]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077718184 6 bytes {JMP QWORD [RIP+0x8e07eac]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SetParent 0000000077718530 6 bytes {JMP QWORD [RIP+0x8d47b00]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077719bcc 6 bytes {JMP QWORD [RIP+0x8aa6464]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!PostMessageA 000000007771a404 6 bytes {JMP QWORD [RIP+0x8ae5c2c]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!EnableWindow 000000007771aaa0 6 bytes {JMP QWORD [RIP+0x8e45590]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!MoveWindow 000000007771aad0 6 bytes {JMP QWORD [RIP+0x8d65560]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007771c720 6 bytes {JMP QWORD [RIP+0x8d03910]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007771cd50 6 bytes {JMP QWORD [RIP+0x8de32e0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007771d2b0 6 bytes {JMP QWORD [RIP+0x8b22d80]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendMessageA 000000007771d338 6 bytes {JMP QWORD [RIP+0x8b62cf8]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007771dc40 6 bytes {JMP QWORD [RIP+0x8c423f0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007771f510 6 bytes {JMP QWORD [RIP+0x8e20b20]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007771f874 6 bytes {JMP QWORD [RIP+0x8a607bc]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007771fac0 6 bytes {JMP QWORD [RIP+0x8bc0570]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077720b74 6 bytes {JMP QWORD [RIP+0x8b3f4bc]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777233b0 6 bytes {JMP QWORD [RIP+0x8abcc80]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077724d4d 5 bytes {JMP QWORD [RIP+0x8a7b2e4]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!GetKeyState 0000000077725010 6 bytes {JMP QWORD [RIP+0x8cdb020]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077725438 6 bytes {JMP QWORD [RIP+0x8bfabf8]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendMessageW 0000000077726b50 6 bytes {JMP QWORD [RIP+0x8b794e0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!PostMessageW 00000000777276e4 6 bytes {JMP QWORD [RIP+0x8af894c]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007772dd90 6 bytes {JMP QWORD [RIP+0x8c722a0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!GetClipboardData 000000007772e874 6 bytes {JMP QWORD [RIP+0x8db17bc]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007772f780 6 bytes {JMP QWORD [RIP+0x8d708b0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777328e4 6 bytes {JMP QWORD [RIP+0x8c0d74c]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!mouse_event 0000000077733894 6 bytes {JMP QWORD [RIP+0x8a0c79c]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077738a10 6 bytes {JMP QWORD [RIP+0x8ca7620]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077738be0 6 bytes {JMP QWORD [RIP+0x8b87450]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077738c20 6 bytes {JMP QWORD [RIP+0x8a27410]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendInput 0000000077738cd0 6 bytes {JMP QWORD [RIP+0x8c87360]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!BlockInput 000000007773ad60 6 bytes {JMP QWORD [RIP+0x8d852d0]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777614e0 6 bytes {JMP QWORD [RIP+0x8e1eb50]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!keybd_event 00000000777845a4 6 bytes {JMP QWORD [RIP+0x899ba8c]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007778cc08 6 bytes {JMP QWORD [RIP+0x8bf3428]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007778df18 6 bytes {JMP QWORD [RIP+0x8b72118]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes JMP 0 .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\system32\services.exe[644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000dd50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000dd50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde93e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[752] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000eb50a0 6 bytes JMP 390039 .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes JMP 1ca440 .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\system32\nvvsvc.exe[828] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde93e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e850a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 36002e .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes JMP ab4d .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000fc50a0 6 bytes {JMP QWORD [RIP+0x1caf90]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes JMP 682 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes JMP dce1de01 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes JMP fdf60590 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes JMP 900000e6 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes JMP 740065 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 2d002000 .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes JMP 18 .text C:\Windows\System32\svchost.exe[392] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000dd50a0 6 bytes JMP 2d0074 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes JMP 880c542 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes JMP d3535f08 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes JMP 440a2b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes JMP 440041 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes JMP 450049 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000f250a0 6 bytes {JMP QWORD [RIP+0xdaf90]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes JMP aac70 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes JMP 760065 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[704] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011050a0 6 bytes {JMP QWORD [RIP+0x14caf90]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000dd50a0 6 bytes {JMP QWORD [RIP+0x10af90]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077716ef0 6 bytes {JMP QWORD [RIP+0x8d29140]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077718184 6 bytes {JMP QWORD [RIP+0x8e07eac]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SetParent 0000000077718530 6 bytes {JMP QWORD [RIP+0x8d47b00]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077719bcc 6 bytes {JMP QWORD [RIP+0x8aa6464]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!PostMessageA 000000007771a404 6 bytes {JMP QWORD [RIP+0x8ae5c2c]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!EnableWindow 000000007771aaa0 6 bytes {JMP QWORD [RIP+0x8e45590]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!MoveWindow 000000007771aad0 6 bytes {JMP QWORD [RIP+0x8d65560]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007771c720 6 bytes {JMP QWORD [RIP+0x8d03910]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007771cd50 6 bytes {JMP QWORD [RIP+0x8de32e0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007771d2b0 6 bytes {JMP QWORD [RIP+0x8b22d80]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendMessageA 000000007771d338 6 bytes {JMP QWORD [RIP+0x8b62cf8]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007771dc40 6 bytes {JMP QWORD [RIP+0x8c423f0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007771f510 6 bytes {JMP QWORD [RIP+0x8e20b20]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007771f874 6 bytes {JMP QWORD [RIP+0x8a607bc]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007771fac0 6 bytes {JMP QWORD [RIP+0x8bc0570]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077720b74 6 bytes {JMP QWORD [RIP+0x8b3f4bc]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777233b0 6 bytes {JMP QWORD [RIP+0x8abcc80]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077724d4d 5 bytes {JMP QWORD [RIP+0x8a7b2e4]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!GetKeyState 0000000077725010 6 bytes {JMP QWORD [RIP+0x8cdb020]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077725438 6 bytes {JMP QWORD [RIP+0x8bfabf8]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendMessageW 0000000077726b50 6 bytes {JMP QWORD [RIP+0x8b794e0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!PostMessageW 00000000777276e4 6 bytes {JMP QWORD [RIP+0x8af894c]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007772dd90 6 bytes {JMP QWORD [RIP+0x8c722a0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!GetClipboardData 000000007772e874 6 bytes {JMP QWORD [RIP+0x8db17bc]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007772f780 6 bytes {JMP QWORD [RIP+0x8d708b0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777328e4 6 bytes {JMP QWORD [RIP+0x8c0d74c]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!mouse_event 0000000077733894 6 bytes {JMP QWORD [RIP+0x8a0c79c]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077738a10 6 bytes {JMP QWORD [RIP+0x8ca7620]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077738be0 6 bytes {JMP QWORD [RIP+0x8b87450]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077738c20 6 bytes {JMP QWORD [RIP+0x8a27410]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendInput 0000000077738cd0 6 bytes {JMP QWORD [RIP+0x8c87360]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!BlockInput 000000007773ad60 6 bytes {JMP QWORD [RIP+0x8d852d0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777614e0 6 bytes {JMP QWORD [RIP+0x8e1eb50]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!keybd_event 00000000777845a4 6 bytes {JMP QWORD [RIP+0x899ba8c]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007778cc08 6 bytes {JMP QWORD [RIP+0x8bf3428]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007778df18 6 bytes {JMP QWORD [RIP+0x8b72118]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000021e50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde93e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[1780] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000df50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 77000026 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000026550a0 6 bytes {JMP QWORD [RIP+0x59af90]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\Explorer.EXE[1876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes JMP 640065 .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes JMP ffffffff .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077716ef0 6 bytes {JMP QWORD [RIP+0x8d29140]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077718184 6 bytes {JMP QWORD [RIP+0x8e07eac]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SetParent 0000000077718530 6 bytes {JMP QWORD [RIP+0x8d47b00]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077719bcc 6 bytes {JMP QWORD [RIP+0x8aa6464]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!PostMessageA 000000007771a404 6 bytes {JMP QWORD [RIP+0x8ae5c2c]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!EnableWindow 000000007771aaa0 6 bytes {JMP QWORD [RIP+0x8e45590]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!MoveWindow 000000007771aad0 6 bytes {JMP QWORD [RIP+0x8d65560]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007771c720 6 bytes {JMP QWORD [RIP+0x8d03910]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007771cd50 6 bytes {JMP QWORD [RIP+0x8de32e0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007771d2b0 6 bytes {JMP QWORD [RIP+0x8b22d80]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendMessageA 000000007771d338 6 bytes {JMP QWORD [RIP+0x8b62cf8]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007771dc40 6 bytes {JMP QWORD [RIP+0x8c423f0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007771f510 6 bytes {JMP QWORD [RIP+0x8e20b20]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007771f874 6 bytes {JMP QWORD [RIP+0x8a607bc]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007771fac0 6 bytes {JMP QWORD [RIP+0x8bc0570]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077720b74 6 bytes {JMP QWORD [RIP+0x8b3f4bc]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777233b0 6 bytes {JMP QWORD [RIP+0x8abcc80]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077724d4d 5 bytes {JMP QWORD [RIP+0x8a7b2e4]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!GetKeyState 0000000077725010 6 bytes {JMP QWORD [RIP+0x8cdb020]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077725438 6 bytes {JMP QWORD [RIP+0x8bfabf8]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendMessageW 0000000077726b50 6 bytes {JMP QWORD [RIP+0x8b794e0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!PostMessageW 00000000777276e4 6 bytes {JMP QWORD [RIP+0x8af894c]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007772dd90 6 bytes {JMP QWORD [RIP+0x8c722a0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!GetClipboardData 000000007772e874 6 bytes {JMP QWORD [RIP+0x8db17bc]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007772f780 6 bytes {JMP QWORD [RIP+0x8d708b0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777328e4 6 bytes {JMP QWORD [RIP+0x8c0d74c]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!mouse_event 0000000077733894 6 bytes {JMP QWORD [RIP+0x8a0c79c]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077738a10 6 bytes {JMP QWORD [RIP+0x8ca7620]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077738be0 6 bytes {JMP QWORD [RIP+0x8b87450]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077738c20 6 bytes {JMP QWORD [RIP+0x8a27410]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendInput 0000000077738cd0 6 bytes {JMP QWORD [RIP+0x8c87360]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!BlockInput 000000007773ad60 6 bytes {JMP QWORD [RIP+0x8d852d0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777614e0 6 bytes {JMP QWORD [RIP+0x8e1eb50]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!keybd_event 00000000777845a4 6 bytes {JMP QWORD [RIP+0x899ba8c]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007778cc08 6 bytes {JMP QWORD [RIP+0x8bf3428]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007778df18 6 bytes {JMP QWORD [RIP+0x8b72118]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe9e9190 6 bytes {JMP QWORD [RIP+0x11a6ea0]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefec023e0 6 bytes {JMP QWORD [RIP+0xf6dc50]} .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes JMP 1e3603b .text C:\Windows\Explorer.EXE[1876] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3950a0 6 bytes JMP 9b3 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes JMP 2bc .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes JMP 1000100 C:\Windows\system32\SSPICLI.DLL .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP 127650 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes JMP 238 .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[2000] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000fe50a0 6 bytes {JMP QWORD [RIP+0x1faf90]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a0f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a0f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a0fb28 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a0fb2c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a0fcb0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a0fcb4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a0fd64 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a0fd68 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a0fdc8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a0fdcc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a0fec0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a0fec4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a0ff74 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a0ff78 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a0ffa4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a0ffa8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a10004 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a10008 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a10084 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a10088 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a100b4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a100b8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a103b8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a103bc 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077a103d0 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077a103d4 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a10550 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a10554 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a10694 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a10698 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077a106f4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077a106f8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a1079c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077a107a0 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077a107e4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077a107e8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077a10874 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077a10878 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1088c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a10890 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a108a4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a108a8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a10df4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a10df8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a10ed8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a10edc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a11be4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a11be8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a11cb4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a11cb8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a11d8c 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a11d90 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a31287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076293bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076293bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076299aa4 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000762a3b62 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000762accd1 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000762fdbde 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000762fdc81 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 00000000762fdc85 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c9f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ca2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753a124e 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000760c58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000760c5ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000760c7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000760cb895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000760cc332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000760ccbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000760ce743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000760f4857 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076188332 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076188bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761890d3 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076189679 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761897d2 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007618ee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007618efc9 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007618efcd 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761912a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007619291f 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetParent 0000000076192d64 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076192d68 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076192da4 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076193698 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007619369c 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076193baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076193c61 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076196110 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007619612e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076196c30 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076197603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076197668 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761976e0 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007619781f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007619835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007619c4b6 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007619c4ba 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761ac112 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761ad0f5 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761aeb96 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761aec68 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761aec6c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendInput 00000000761aff4a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761aff4e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000761c9f1d 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761d1497 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!mouse_event 00000000761e027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761e02bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761e6cfc 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761e6d5d 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!BlockInput 00000000761e7dd7 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000761e7ddb 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761e88eb 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761e88ef 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755d1401 2 bytes JMP 762ab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755d1419 2 bytes JMP 762ab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755d1431 2 bytes JMP 76328ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755d144a 2 bytes CALL 762848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755d14dd 2 bytes JMP 763287a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755d14f5 2 bytes JMP 76328978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755d150d 2 bytes JMP 76328698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755d1525 2 bytes JMP 76328a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755d153d 2 bytes JMP 7629fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755d1555 2 bytes JMP 762a68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755d156d 2 bytes JMP 76328f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755d1585 2 bytes JMP 76328ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755d159d 2 bytes JMP 7632865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755d15b5 2 bytes JMP 7629fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755d15cd 2 bytes JMP 762ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755d16b2 2 bytes JMP 76328e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755d16bd 2 bytes JMP 763285f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a0f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a0f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a0fb28 3 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a0fb2c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a0fcb0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a0fcb4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a0fd64 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a0fd68 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a0fdc8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a0fdcc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a0fec0 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a0fec4 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a0ff74 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a0ff78 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a0ffa4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a0ffa8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a10004 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a10008 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a10084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a10088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a100b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a100b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a103b8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a103bc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077a103d0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077a103d4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a10550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a10554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a10694 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a10698 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077a106f4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077a106f8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a1079c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077a107a0 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077a107e4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077a107e8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077a10874 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077a10878 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1088c 3 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a10890 2 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a108a4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a108a8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a10df4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a10df8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a10ed8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a10edc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a11be4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a11be8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a11cb4 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a11cb8 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a11d8c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a11d90 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a31287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076293bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076293bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076299aa4 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000762a3b62 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000762accd1 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000762fb2fe 5 bytes JMP 00000001100078e0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000762fdbde 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000762fdc81 3 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 00000000762fdc85 2 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c9f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ca2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753a124e 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076188332 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076188bff 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761890d3 6 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076189679 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761897d2 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007618ee09 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007618efc9 3 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007618efcd 2 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761912a5 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007619291f 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetParent 0000000076192d64 3 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076192d68 2 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076192da4 6 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076193698 3 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007619369c 2 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076193baa 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076193c61 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076196110 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007619612e 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076196c30 6 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076197603 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076197668 6 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761976e0 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007619781f 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007619835c 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007619c4b6 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007619c4ba 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761ac112 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761ad0f5 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761aeb96 6 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761aec68 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761aec6c 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendInput 00000000761aff4a 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761aff4e 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000761c9f1d 6 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761d1497 6 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!mouse_event 00000000761e027b 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761e02bf 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761e6cfc 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761e6d5d 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!BlockInput 00000000761e7dd7 3 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000761e7ddb 2 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761e88eb 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761e88ef 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000760c58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000760c5ea6 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000760c7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000760cb895 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000760cc332 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000760ccbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000760ce743 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000760f4857 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076829708 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000076a2b901 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763c9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755d1401 2 bytes JMP 762ab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755d1419 2 bytes JMP 762ab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755d1431 2 bytes JMP 76328ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755d144a 2 bytes CALL 762848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755d14dd 2 bytes JMP 763287a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755d14f5 2 bytes JMP 76328978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755d150d 2 bytes JMP 76328698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755d1525 2 bytes JMP 76328a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755d153d 2 bytes JMP 7629fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755d1555 2 bytes JMP 762a68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755d156d 2 bytes JMP 76328f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755d1585 2 bytes JMP 76328ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755d159d 2 bytes JMP 7632865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755d15b5 2 bytes JMP 7629fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755d15cd 2 bytes JMP 762ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755d16b2 2 bytes JMP 76328e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755d16bd 2 bytes JMP 763285f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 5601c01 .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes JMP 131c .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes {JMP QWORD [RIP+0x127658]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes {JMP QWORD [RIP+0x1e3750]} .text C:\Windows\System32\svchost.exe[2116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 7748 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes JMP 1000100 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes JMP 238 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[2564] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe0822cc 6 bytes JMP 7748 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe0824c0 6 bytes JMP 1000100 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe085bf0 6 bytes {JMP QWORD [RIP+0x1ca440]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe088398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe0889d8 6 bytes JMP fd6493d0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe089344 6 bytes JMP 238 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe08b9f8 6 bytes {JMP QWORD [RIP+0x204638]} .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe08c8e0 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[2576] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a0f9e0 3 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a0f9e4 2 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a0fb28 3 bytes JMP 70ad000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a0fb2c 2 bytes JMP 70ad000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a0fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a0fcb4 2 bytes [CD, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a0fd64 3 bytes JMP 70b9000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a0fd68 2 bytes JMP 70b9000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a0fdc8 3 bytes JMP 70bf000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a0fdcc 2 bytes JMP 70bf000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a0fec0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a0fec4 2 bytes [B5, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a0ff74 3 bytes JMP 70e6000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a0ff78 2 bytes JMP 70e6000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a0ffa4 3 bytes JMP 70c2000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a0ffa8 2 bytes JMP 70c2000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a10004 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a10008 2 bytes [D9, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a10084 3 bytes JMP 70d7000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a10088 2 bytes JMP 70d7000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a100b4 3 bytes JMP 70bc000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a100b8 2 bytes JMP 70bc000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a103b8 3 bytes JMP 70a7000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a103bc 2 bytes JMP 70a7000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077a103d0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077a103d4 2 bytes {JMP 0x72} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a10550 3 bytes JMP 70ef000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a10554 2 bytes JMP 70ef000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a10694 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a10698 2 bytes [CA, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077a106f4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077a106f8 2 bytes [E2, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a1079c 3 bytes JMP 70e9000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077a107a0 2 bytes JMP 70e9000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077a107e4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077a107e8 2 bytes [DC, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077a10874 3 bytes JMP 70e0000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077a10878 2 bytes JMP 70e0000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1088c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a10890 2 bytes [B2, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a108a4 3 bytes JMP 70aa000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a108a8 2 bytes JMP 70aa000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a10df4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a10df8 2 bytes [C7, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a10ed8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a10edc 2 bytes [AF, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a11be4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a11be8 2 bytes [C4, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a11cb4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a11cb8 2 bytes [D3, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a11d8c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a11d90 2 bytes [D0, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a31287 6 bytes JMP 71a3000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076288791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076293bbb 3 bytes JMP 7197000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076293bbf 2 bytes JMP 7197000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076299aa4 6 bytes {JMP QWORD [RIP+0x7178001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000762a3b62 6 bytes JMP 7170000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000762accd1 6 bytes {JMP QWORD [RIP+0x717b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000762fb2fe 5 bytes JMP 00000001100078e0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000762fdbde 6 bytes {JMP QWORD [RIP+0x7175001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000762fdc81 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 00000000762fdc85 2 bytes [72, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c9f784 6 bytes {JMP QWORD [RIP+0x7199001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ca2c9e 4 bytes CALL 71ac0000 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076188332 6 bytes JMP 7149000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076188bff 6 bytes {JMP QWORD [RIP+0x713c001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761890d3 6 bytes JMP 70f8000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076189679 6 bytes JMP 7137000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761897d2 6 bytes JMP 7131000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007618ee09 6 bytes {JMP QWORD [RIP+0x714e001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007618efc9 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007618efcd 2 bytes [FD, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761912a5 6 bytes JMP 7143000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007619291f 6 bytes {JMP QWORD [RIP+0x7115001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetParent 0000000076192d64 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076192d68 2 bytes [0C, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076192da4 6 bytes {JMP QWORD [RIP+0x70f4001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076193698 3 bytes JMP 710a000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007619369c 2 bytes JMP 710a000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076193baa 6 bytes {JMP QWORD [RIP+0x7145001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076193c61 6 bytes {JMP QWORD [RIP+0x713f001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076196110 6 bytes {JMP QWORD [RIP+0x714b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007619612e 6 bytes JMP 713a000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076196c30 6 bytes {JMP QWORD [RIP+0x70fa001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076197603 6 bytes JMP 7152000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076197668 6 bytes {JMP QWORD [RIP+0x7124001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761976e0 6 bytes {JMP QWORD [RIP+0x712a001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007619781f 6 bytes JMP 7134000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007619835c 6 bytes {JMP QWORD [RIP+0x7154001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007619c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007619c4ba 2 bytes [06, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761ac112 6 bytes {JMP QWORD [RIP+0x7121001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761ad0f5 6 bytes {JMP QWORD [RIP+0x711e001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761aeb96 6 bytes JMP 7113000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761aec68 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761aec6c 2 bytes [18, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendInput 00000000761aff4a 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761aff4e 2 bytes [1B, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000761c9f1d 6 bytes {JMP QWORD [RIP+0x7100001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761d1497 6 bytes {JMP QWORD [RIP+0x70f1001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!mouse_event 00000000761e027b 6 bytes {JMP QWORD [RIP+0x7157001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761e02bf 6 bytes {JMP QWORD [RIP+0x715a001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761e6cfc 6 bytes {JMP QWORD [RIP+0x712d001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761e6d5d 6 bytes {JMP QWORD [RIP+0x7127001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!BlockInput 00000000761e7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000761e7ddb 2 bytes [03, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761e88eb 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761e88ef 2 bytes [0F, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076829708 6 bytes {JMP QWORD [RIP+0x7169001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000076a2b901 6 bytes {JMP QWORD [RIP+0x716c001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2548] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763c9d0b 6 bytes JMP 7194000a .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\SearchIndexer.exe[1104] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[2716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes {JMP QWORD [RIP+0x218ba0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x8ffebc0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 6 bytes {JMP QWORD [RIP+0x8e9eac0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x8f7ea50]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 6 bytes {JMP QWORD [RIP+0x8f3ea10]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x8f9e970]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 6 bytes {JMP QWORD [RIP+0x8d9e900]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 6 bytes {JMP QWORD [RIP+0x8f1e8e0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 6 bytes {JMP QWORD [RIP+0x8e1e8a0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 6 bytes {JMP QWORD [RIP+0x8e3e850]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x8f5e830]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x903e640]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d5e630]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 6 bytes {JMP QWORD [RIP+0x8d3e530]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8ebe460]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 6 bytes {JMP QWORD [RIP+0x8dbe420]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 6 bytes {JMP QWORD [RIP+0x8d7e3b0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8dfe380]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 6 bytes {JMP QWORD [RIP+0x8dde320]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x8fbe310]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 6 bytes {JMP QWORD [RIP+0x901e300]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 6 bytes {JMP QWORD [RIP+0x8eddf90]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x8fddf00]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 6 bytes {JMP QWORD [RIP+0x8efd690]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 6 bytes {JMP QWORD [RIP+0x8e5d610]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 6 bytes {JMP QWORD [RIP+0x8e7d590]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077601890 6 bytes {JMP QWORD [RIP+0x8afe7a0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007760db80 6 bytes {JMP QWORD [RIP+0x8a524b0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007767f490 6 bytes {JMP QWORD [RIP+0x8a20ba0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007767f4c0 6 bytes {JMP QWORD [RIP+0x8a60b70]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007767f690 6 bytes {JMP QWORD [RIP+0x8a009a0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077685460 6 bytes {JMP QWORD [RIP+0x8a3abd0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde93e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff937490 6 bytes JMP 2a7670 .text C:\Windows\system32\svchost.exe[3504] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000f150a0 6 bytes {JMP QWORD [RIP+0x20af90]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077833b10 6 bytes {JMP QWORD [RIP+0x880c520]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077861360 5 bytes JMP 00000000779d0460 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778613a0 6 bytes {JMP QWORD [RIP+0x87bec90]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778613b0 5 bytes JMP 00000000779d0450 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077861470 6 bytes {JMP QWORD [RIP+0x90debc0]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077861510 5 bytes JMP 00000000779d0370 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077861560 5 bytes JMP 00000000779d0470 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077861570 5 bytes JMP 00000000779d03e0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778615e0 6 bytes {JMP QWORD [RIP+0x905ea50]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077861620 5 bytes JMP 00000000779d0320 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077861650 5 bytes JMP 00000000779d03b0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077861670 5 bytes JMP 00000000779d0390 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778616b0 5 bytes JMP 00000000779d02e0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778616c0 6 bytes {JMP QWORD [RIP+0x907e970]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077861730 5 bytes JMP 00000000779d02d0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077861750 5 bytes JMP 00000000779d0310 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077861790 5 bytes JMP 00000000779d03c0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778617e0 5 bytes JMP 00000000779d03f0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077861800 6 bytes {JMP QWORD [RIP+0x903e830]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077861940 5 bytes JMP 00000000779d0230 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778619f0 6 bytes {JMP QWORD [RIP+0x912e640]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077861a00 6 bytes {JMP QWORD [RIP+0x8d6e630]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077861b00 5 bytes JMP 00000000779d0480 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077861b30 5 bytes JMP 00000000779d03a0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077861bd0 6 bytes {JMP QWORD [RIP+0x8f5e460]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077861c10 5 bytes JMP 00000000779d02f0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077861c20 5 bytes JMP 00000000779d0350 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077861c80 5 bytes JMP 00000000779d0290 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077861cb0 6 bytes {JMP QWORD [RIP+0x8e4e380]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077861d10 5 bytes JMP 00000000779d02b0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077861d20 6 bytes {JMP QWORD [RIP+0x909e310]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077861d30 5 bytes JMP 00000000779d03d0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077861d40 5 bytes JMP 00000000779d0330 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077861db0 5 bytes JMP 00000000779d0410 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077861de0 5 bytes JMP 00000000779d0240 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778620a0 5 bytes JMP 00000000779d01e0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077862130 6 bytes {JMP QWORD [RIP+0x90bdf00]} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077862160 5 bytes JMP 00000000779d0250 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077862190 5 bytes JMP 00000000779d0490 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778621a0 5 bytes JMP 00000000779d04a0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778621d0 5 bytes JMP 00000000779d0300 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778621e0 5 bytes JMP 00000000779d0360 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077862240 5 bytes JMP 00000000779d02a0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077862290 5 bytes JMP 00000000779d02c0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778622c0 5 bytes JMP 00000000779d0380 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778622d0 5 bytes JMP 00000000779d0340 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778625c0 5 bytes JMP 00000000779d0440 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778627c0 5 bytes JMP 00000000779d0260 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778627d0 5 bytes JMP 00000000779d0270 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778627e0 5 bytes JMP 00000000779d0400 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778629a0 5 bytes JMP 00000000779d01f0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778629b0 5 bytes JMP 00000000779d0210 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077862a20 5 bytes JMP 00000000779d0200 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077862a80 5 bytes JMP 00000000779d0420 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077862a90 5 bytes JMP 00000000779d0430 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077862aa0 5 bytes JMP 00000000779d0220 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077862b80 5 bytes JMP 00000000779d0280 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd649055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a0f9e0 3 bytes JMP 71af000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a0f9e4 2 bytes JMP 71af000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a0fb28 3 bytes JMP 70be000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a0fb2c 2 bytes JMP 70be000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a0fcb0 3 bytes JMP 70df000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a0fcb4 2 bytes JMP 70df000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a0fd64 3 bytes JMP 70ca000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a0fd68 2 bytes JMP 70ca000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a0fdc8 3 bytes JMP 70d0000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a0fdcc 2 bytes JMP 70d0000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a0fec0 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a0fec4 2 bytes [C6, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a0ff74 3 bytes JMP 70f7000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a0ff78 2 bytes JMP 70f7000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a0ffa4 3 bytes JMP 70d3000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a0ffa8 2 bytes JMP 70d3000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a10004 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a10008 2 bytes [EA, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a10084 3 bytes JMP 70e8000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a10088 2 bytes JMP 70e8000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a100b4 3 bytes JMP 70cd000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a100b8 2 bytes JMP 70cd000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a103b8 3 bytes JMP 70b8000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a103bc 2 bytes JMP 70b8000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077a103d0 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077a103d4 2 bytes [FC, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a10550 3 bytes JMP 7100000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a10554 2 bytes JMP 7100000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a10694 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a10698 2 bytes [DB, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077a106f4 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077a106f8 2 bytes [F3, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a1079c 3 bytes JMP 70fa000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077a107a0 2 bytes JMP 70fa000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077a107e4 3 bytes JMP 70ee000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077a107e8 2 bytes JMP 70ee000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077a10874 3 bytes JMP 70f1000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077a10878 2 bytes JMP 70f1000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1088c 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a10890 2 bytes [C3, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a108a4 3 bytes JMP 70bb000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a108a8 2 bytes JMP 70bb000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a10df4 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a10df8 2 bytes [D8, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a10ed8 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a10edc 2 bytes [C0, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a11be4 3 bytes JMP 70d6000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a11be8 2 bytes JMP 70d6000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a11cb4 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a11cb8 2 bytes [E4, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a11d8c 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a11d90 2 bytes [E1, 70] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a31287 6 bytes JMP 71a8000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076293bbb 3 bytes JMP 719c000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076293bbf 2 bytes JMP 719c000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076299aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000762a3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000762accd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000762fb2fe 5 bytes JMP 00000001100078e0 .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000762fdbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000762fdc81 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 00000000762fdc85 2 bytes [7D, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c9f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ca2c9e 4 bytes CALL 71ac0000 .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076188332 6 bytes JMP 715a000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076188bff 6 bytes JMP 714e000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761890d3 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076189679 6 bytes JMP 7148000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761897d2 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007618ee09 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007618efc9 3 bytes JMP 710f000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007618efcd 2 bytes JMP 710f000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761912a5 6 bytes JMP 7154000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007619291f 6 bytes JMP 7127000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetParent 0000000076192d64 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076192d68 2 bytes [1D, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076192da4 6 bytes JMP 7106000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076193698 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007619369c 2 bytes [1A, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076193baa 6 bytes JMP 7157000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076193c61 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076196110 6 bytes JMP 715d000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007619612e 6 bytes JMP 714b000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076196c30 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076197603 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076197668 6 bytes JMP 7136000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761976e0 6 bytes JMP 713c000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007619781f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007619835c 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007619c4b6 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007619c4ba 2 bytes [17, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761ac112 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761ad0f5 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761aeb96 6 bytes JMP 7124000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761aec68 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761aec6c 2 bytes [29, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendInput 00000000761aff4a 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761aff4e 2 bytes [2C, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000761c9f1d 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761d1497 6 bytes {JMP QWORD [RIP+0x7102001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!mouse_event 00000000761e027b 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761e02bf 6 bytes JMP 716c000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761e6cfc 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761e6d5d 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!BlockInput 00000000761e7dd7 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000761e7ddb 2 bytes [14, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761e88eb 3 bytes [FF, 25, 1E] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761e88ef 2 bytes [20, 71] .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000760c58b3 6 bytes JMP 718d000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000760c5ea6 6 bytes JMP 7178000a .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000760c7bcc 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000760cb895 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000760cc332 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000760ccbfb 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000760ce743 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000760f4857 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753a124e 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Users\muun\Downloads\one05i4e.exe[5700] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000763c9d0b 6 bytes {JMP QWORD [RIP+0x7198001e]} ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800101ce94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800101cc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800101d614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800101da10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800101d86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\services.exe[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\services.exe[ntdll.dll!NtShutdownSystem] [80710000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\services.exe[644] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\lsasrv.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\lsasrv.dll[ntdll.dll!NtShutdownSystem] [80710000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\lsasrv.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\SAMSRV.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\negoexts.DLL[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\kerberos.DLL[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\msv1_0.DLL[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\schannel.DLL[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\wdigest.DLL[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\pku2u.DLL[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsass.exe[652] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsm.exe[660] @ C:\Windows\system32\pcwum.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[752] @ c:\windows\system32\umpo.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[752] @ c:\windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\pcwum.DLL[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[752] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\nvvsvc.exe[828] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\nvvsvc.exe[828] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\nvvsvc.exe[828] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\nvvsvc.exe[828] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\nvvsvc.exe[828] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[868] @ c:\windows\system32\rpcepmap.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[868] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\VSSAPI.DLL[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ c:\windows\system32\wkssvc.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[392] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\System32\svchost.exe[628] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[628] @ c:\windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[628] @ c:\windows\system32\sysmain.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[704] @ c:\windows\system32\HTTPAPI.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[704] @ c:\windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\System32\mswsock.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\System32\mswsock.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[704] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[1156] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\System32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\System32\MSWSOCK.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\spoolsv.exe[1696] @ C:\Windows\System32\cscapi.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\pcwum.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[1780] @ c:\windows\system32\dps.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[1780] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[1828] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\Dwm.exe[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\Dwm.exe[1840] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\cscapi.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\System32\gameux.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\System32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\authui.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\HTTPAPI.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\pcwum.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2000] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[2116] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\hkcmd.exe[2564] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\igfxpers.exe[2576] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[1104] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[2716] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\svchost.exe[2716] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\svchost.exe[2716] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\svchost.exe[2716] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\svchost.exe[2716] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[2716] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\system32\svchost.exe[2716] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3448] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\System32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [807a0000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\System32\MSWSOCK.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\System32\svchost.exe[3628] @ C:\Windows\System32\pcwum.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80850000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSemaphore] [80660000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateMutant] [805b0000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80880000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80820000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [806e0000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateEvent] [80600000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [807f0000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80770000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\System32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[3288] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80770000] ---- Devices - GMER 2.1 ---- Device \Driver\JMCR \Device\Scsi\JMCR3Port3Path0TargetffLun0 fffffa8002b352c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa8002b352c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa8002b352c0 Device \Driver\JMCR \Device\Scsi\JMCR2Port2Path0TargetffLun0 fffffa8002b352c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa8002b352c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa8002b352c0 Device \Driver\JMCR \Device\Scsi\JMCR4Port4Path0TargetffLun0 fffffa8002b352c0 Device \Driver\JMCR \Device\Scsi\JMCR1Port1Path0TargetffLun0 fffffa8002b352c0 Device \FileSystem\Ntfs \Ntfs fffffa800201b2c0 Device \FileSystem\fastfat \Fat fffffa800961b2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8002a852c0 Device \Driver\cdrom \Device\CdRom0 fffffa800274b2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8002a852c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{951C4470-B197-4954-8AEB-72D7F41D5FB8} fffffa80028f12c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8002a852c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{3CFB783C-CC41-4231-947C-5FAAA70BC72E} fffffa80028f12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80028f12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{42352D23-DE6F-4F50-A5F4-BA24089C7AA7} fffffa80028f12c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8002a852c0 Device \Driver\JMCR \Device\ScsiPort1 fffffa8002b352c0 Device \Driver\JMCR \Device\ScsiPort2 fffffa8002b352c0 Device \Driver\JMCR \Device\ScsiPort3 fffffa8002b352c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa8002b352c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2116:3596] 000007fef15d9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3448:2652] 000000018000c920 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3448:3740] 000000018000c920 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3448:4248] 0000000180026f10 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3448:4320] 0000000180026f10 Thread C:\Windows\system32\taskhost.exe [3288:2092] 000000018000c920 Thread C:\Windows\system32\taskhost.exe [3288:4476] 000000018000c920 Thread C:\Windows\system32\taskhost.exe [3288:4456] 0000000180026f10 Thread C:\Windows\system32\taskhost.exe [3288:1340] 0000000180026f10 Thread C:\Windows\system32\taskhost.exe [3288:1048] 000007fefe3f6a40 ---- Processes - GMER 2.1 ---- Library C:\Windows\system32\spool\DRIVERS\x64\3\NitroReaderUI3.dll (*** suspicious ***) @ C:\Windows\System32\spoolsv.exe [1696] 0000000073e90000 Library C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1876] 0000000009190000 Library C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight64.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1876] 000007fef2550000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xB5 0x57 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0x92 0xD3 0x92 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xB5 0x57 0x6C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0x92 0xD3 0x92 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Network Action Predictor 7168 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cache 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cache\data_0 45056 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cache\data_1 270336 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cache\data_2 8192 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cache\data_3 8192 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cache\index 262512 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cookies 6144 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Cookies-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Current Session 1861 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Extension State 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Extension State\000003.log 570 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Extension State\CURRENT 16 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Extension State\LOCK 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Extension State\LOG 47 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Extension State\MANIFEST-000002 50 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Favicons 20480 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Favicons-journal 512 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\History 94208 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\History Provider Cache 6 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\History-journal 512 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\JumpListIcons 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\JumpListIcons\5D00.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\JumpListIcons\5D01.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\JumpListIconsOld 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\JumpListIconsOld\E9B8.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\JumpListIconsOld\E9B9.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Local Extension Settings 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Local Storage 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage 3072 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage-journal 3608 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Login Data 12288 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Login Data-journal 512 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Network Action Predictor-journal 4640 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Preferences 2058 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Secure Preferences 18854 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Shortcuts 12288 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Shortcuts-journal 512 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Top Sites 20480 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Top Sites-journal 12824 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Visited Links 131072 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Web Data 71680 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Default\Web Data-journal 4624 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Local State 2002 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\pnacl 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Safe Browsing Cookies 6144 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\sfzone_profile\Safe Browsing Cookies-journal 1544 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Local 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Local\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Roaming\Microsoft 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Roaming\Microsoft\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Roaming\Microsoft\Windows\Recent 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations 0 bytes File C:\avast! sandbox\S-1-5-21-543189089-2044631228-4276830283-1002\sfzone\C\Users\muun\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d6a3daeaf363f6c2.customDestinations-ms 6306 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 17408 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{728675af-91a5-11e4-916c-a0f3c1a08d33}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{728675af-91a5-11e4-916c-a0f3c1a08d33}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{728675af-91a5-11e4-916c-a0f3c1a08d33}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\DB60723360403056CD904EFFDBBE6A880706EBE0 321279 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\CBA9721B36E7CAA95166528BBA91A7CA86711F40 320978 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\4853DB2921D07499BE77962A97DF91267BE99510 2644 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\93508AC9C40B2944F6AE6DFBB4F17F3B7ACAE2D0 10779 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\DB449DAF7FFD6BF02D5E557392E017D761F6D867 897 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\A52D6062F05018BDBA7AE59AEC2E8C4C5780A62D 1150687 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\9BCF2EAA7938614AE823576C60B9EBDD9E554A6D 320988 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\87F9FB1E6E2BC9F411AFC12F3567FB3A251B02EF 6997 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\F5CDDA05DA9A30810896439C8043DF5850F256D8 4301 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\78F7136A0F408445244BDF94B26A8442ED6A9F5D 4963 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\DD96E7134C149B7F1D0F91F3A4C482992A757A12 320815 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\377D106136290EE18F2BAB3FC10AE22CBC4A1CBE 17142 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\5228E6C69A974F01DC89CD94226CDCBE0A5B804B 1662 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\453E3743B39B63CA3117F8203E8807FB1A58B93F 6272 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\82EE46A4FA9FECA331776A377654809D644E50B7 9857 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\57DCBD3AA2798F120F7F8092BC1F5F2144337916 1209802 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\57DE8D5182D68C6FDD83FF23CA3EC9D273D745A0 897 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\1DFA158FCC6EDD71975A89AB0FC504FDE1813CEF 1712 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\28F4530794871122A60214BEE1B6589BBAB988D9 900 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\679B10AF3D9CDBD188790D815224F87C4C8AA1B7 1712 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\5D58FA76502332D62BF7CACD889F98CF5E81380B 25642 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\9D2CFF10E90C418E5EAFDC9C87FCAB27D7286306 55476 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\46B5528BB471F0E30976C4AA3ED0E9E8916F1C65 13829 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\1AB0CAFBC1FD91286D861B6B563C77B26E7689A0 4181 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\461E3DA0C2DED37DD3E552787232BC44F19B213B 320777 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\74D8DE8D4C3B80BADBC493C792CF415C9112E5D0 4338 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\7DF7E2A38C60DA8ED27A319E023F7124F5636871 4148 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\B2B0A6EFCB6D7F80B4F5B327309737383842BB15 1035 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\FEF9C2C99410431C12AF7341A158DFED189163B6 11156 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\C8C58E328232A7042407D6E14C03F4BE746F61BE 2976 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\C84FE559984CD2289F22D37992BBC84E64F78056 66664 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\7E400B83C5C2167BE931D634C03DE3EB6B5BF8C0 739 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\C3968E6C7537DED1536165354B5A19C098486D10 2596 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\5A9C0C1867BC2E435346FF94D352133BAEEB769F 1688 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\E5673D0043CFA1BDFD7FF6911A6BC33E6359BF4A 11009 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\03D54803ACFC97E87B9A3590F6C6BF8D65E39620 6037 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\90F85DFD643C821E60B69216C33BF6ED4B9710A1 52047 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\42251FEDAA9DDD8999DCD6079347DF8FF92EAF26 10180 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\CB4D70247FEEDBF9C0709B79DC19D4045C924CD0 1236084 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\1D4D7FFAC4E257916899A30D39D8C6FDF26478C3 320678 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\B364CE99FCEA6B26A8B5EE26A3E6A6A4484D12A7 2770 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\8AD8940543B5320831EFD4FB4FF8015C7123AAF1 1181442 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\279171F71C1046B27DED7E16A4BED0B5E9C5FE93 7965 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\F61B0F2374DCA1BB9FAFA49F9083A3AB064951B8 31159 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\CC8C4B2762FEBA55212330670267CA56AD6E04CC 65119 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\186C7BF168D6FF82DB7D111B88420CB5AC603CC0 4043 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\E14A4D2C030A55CF3CCCB7347055EF94465F1CA9 976 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\7CB240A25433C69E4163C0363155BCB9C8466852 7083 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\3A02450CE7F3ED8AC77EF87C1DF167D0B9B8BEF2 8426 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\13264022F661CE7FEFB39B4140901A033C8C43CD 1184119 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\293C6D850510A19D891B2640A7791F00F48BA260 1662 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\9561714852F2C3A8F2E23FD0F3D436C7010FB098 2143 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\76A0529D9E522518D6C63FAC38065274A2FEDDAF 320816 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\6A3BF5EDF5BEF0D3319A0210A10654832D54A64E 320589 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\C9C904BCA3CA6AA16DF1672849CADD665A77DD87 3857 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\40BB706EA9F9463847F4FC8BB831A2285D195917 16612 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\3094CDA8A1B54A95E1395332BFA9BF979150D6C8 320909 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\F25B4CDF95ACB4D3E9365CA967D6EA4656B908E4 2079 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\D68A16BE7D60517A1422BA3D2988B2E1F72E40DD 6135 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\21E10E0E6C75F7AA0B65ECE99740ACDC3B122980 320785 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\10E3214EF1AB83AF1AFCE46707542D55A1F13E3C 321271 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\1638BE2B3BE0EDD43F4F2BE9348BDA07E782537F 2682 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\A1CD864BF68A12B637CB85DE031C8D7CB58804C3 1308932 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\0936DCA6F8FD416F288BCFF7C5190148B08456A8 41310 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\F17CBD255B1F679D74D223ECC87AFA4868789CE4 320877 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\43E900602354173E14DA770C9631407BEEB75809 156455 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\7451C8F54F687882D63F417AF2B11E3CA544B3CD 202229 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\8E88FA881AC3BF1914072D7F9C1AB1657DE0F492 4035 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\101CB22B2B1E4ADC2FE659922957938251DC3C16 2057 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\4493CB5C50ADD449771933B0B26B196817211B7B 13427 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\91934EAF19268AD7E0B4ED50B2947B3EE814BDE0 7779 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\078B93A55E84D99CF4B852B4091C91030FA85B64 57559 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\B05DADB972F43CBFBE545047143F9BF381D31BCD 19159 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\25C2A6E7559D2691F8333F6CC5A181B11368787E 1314384 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\FB99735AD2914019B4B7C68BD7E6DF7807174ABF 8956 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\5767CA43A68D4039C7DD4C72473750C3432767A5 2073 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\CB2F897EDD8693E22604A5B9AF523AC13ED23822 897 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\89CD7E4B9228FC20A213EFD506E912555E8423E5 179 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\19B06E46E8EC18AF4F1559E9354E49DC72317FF8 2081 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\6B9A5BB21CE476CBEAC7DF6FB6B805F4504FFADB 8121 bytes File C:\Users\muun\AppData\Local\Mozilla\Firefox\Profiles\4e1m4yi8.default\cache2\entries\E21442B4FDF4C4805B758DAADF98A91D6B381066 16051 bytes ---- EOF - GMER 2.1 ----