GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-05 17:48:14 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: xzqfg0jj.exe; Driver: C:\Users\tomek\AppData\Local\Temp\kwddykog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\services.exe[540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\services.exe[540] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe8a5720 6 bytes {JMP QWORD [RIP+0x22a910]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd0239f0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077017640 6 bytes {JMP QWORD [RIP+0x93c89f0]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077019554 6 bytes {JMP QWORD [RIP+0x94a6adc]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SetParent 0000000077019870 6 bytes {JMP QWORD [RIP+0x93e67c0]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SetWindowLongA 000000007701c044 6 bytes {JMP QWORD [RIP+0x9143fec]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!PostMessageA 000000007701ca54 6 bytes {JMP QWORD [RIP+0x91835dc]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!EnableWindow 000000007701d0f0 6 bytes {JMP QWORD [RIP+0x94e2f40]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!MoveWindow 000000007701d120 6 bytes {JMP QWORD [RIP+0x9402f10]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007701f0c4 6 bytes {JMP QWORD [RIP+0x93a0f6c]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007701f690 6 bytes {JMP QWORD [RIP+0x94809a0]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007701fc50 6 bytes {JMP QWORD [RIP+0x91c03e0]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendMessageA 000000007701fcd8 6 bytes {JMP QWORD [RIP+0x9200358]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000770203f0 6 bytes {JMP QWORD [RIP+0x92dfc40]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077021f30 6 bytes {JMP QWORD [RIP+0x94be100]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077022294 6 bytes {JMP QWORD [RIP+0x90fdd9c]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077023464 6 bytes {JMP QWORD [RIP+0x91dcbcc]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077025c34 6 bytes {JMP QWORD [RIP+0x915a3fc]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000770271e9 5 bytes {JMP QWORD [RIP+0x9118e48]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!GetKeyState 00000000770278c0 6 bytes {JMP QWORD [RIP+0x9378770]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077028e28 6 bytes {JMP QWORD [RIP+0x9297208]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077028f9c 6 bytes {JMP QWORD [RIP+0x9257094]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!PostMessageW 00000000770292d4 6 bytes {JMP QWORD [RIP+0x9196d5c]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendMessageW 000000007702a800 6 bytes {JMP QWORD [RIP+0x9215830]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000077030bf8 6 bytes {JMP QWORD [RIP+0x930f438]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!GetClipboardData 0000000077031584 6 bytes {JMP QWORD [RIP+0x944eaac]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000077032360 6 bytes {JMP QWORD [RIP+0x940dcd0]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000077035508 6 bytes {JMP QWORD [RIP+0x92aab28]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!mouse_event 00000000770362c4 6 bytes {JMP QWORD [RIP+0x90a9d6c]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000770391a0 6 bytes {JMP QWORD [RIP+0x9346e90]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000770392e0 6 bytes {JMP QWORD [RIP+0x9226d50]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077039320 6 bytes {JMP QWORD [RIP+0x90c6d10]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendInput 00000000770393d0 6 bytes {JMP QWORD [RIP+0x9326c60]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!BlockInput 000000007703b430 6 bytes {JMP QWORD [RIP+0x9424c00]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000770616e0 6 bytes {JMP QWORD [RIP+0x94be950]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!keybd_event 0000000077084474 6 bytes {JMP QWORD [RIP+0x903bbbc]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007708cc58 6 bytes {JMP QWORD [RIP+0x92933d8]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007708dec8 6 bytes {JMP QWORD [RIP+0x9212168]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 20 .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x3adc18]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3c8c80]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x4044ec]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3e23b8]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes JMP 43d0435 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x4dcc0]} .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes JMP 4e40c3b .text C:\Windows\system32\lsass.exe[548] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000e039f0 6 bytes {JMP QWORD [RIP+0x7c640]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes JMP 1 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes JMP 3d69f3d2 .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x5dcc0]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x7da98]} .text C:\Windows\system32\lsm.exe[556] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d739f0 6 bytes {JMP QWORD [RIP+0xfc640]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe8a5720 6 bytes {JMP QWORD [RIP+0x22a910]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x3adc18]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3c8c80]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x4044ec]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3e23b8]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\svchost.exe[712] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000d939f0 6 bytes {JMP QWORD [RIP+0xfc640]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe8a5720 6 bytes {JMP QWORD [RIP+0x22a910]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x3adc18]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3c8c80]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes JMP 27100352 .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x4044ec]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3e23b8]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes JMP 890f .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000dc39f0 6 bytes {JMP QWORD [RIP+0x7c640]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes JMP 74006b .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\atiesrxx.exe[996] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\System32\svchost.exe[124] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000ef39f0 6 bytes {JMP QWORD [RIP+0x19c640]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes JMP 10002 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes JMP 3e5ea01 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes JMP 948f622 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes JMP 92e22c0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes JMP 7f1ebe1 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes JMP 43b6c31 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes JMP 108843a .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes JMP a81 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes JMP 101b14a .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes JMP 103f881 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes JMP 3d46681 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes JMP 9324780 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes JMP 88881 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes JMP 9a75458 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes JMP 84a2049 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes JMP 730079 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\System32\svchost.exe[360] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000fc39f0 6 bytes {JMP QWORD [RIP+0x7c640]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe8a5720 6 bytes {JMP QWORD [RIP+0x22a910]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes JMP 3adbf0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3c8c80]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes JMP 80000059 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3e23b8]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\svchost.exe[364] c:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d839f0 6 bytes {JMP QWORD [RIP+0x10c640]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\AUDIODG.EXE[384] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes JMP 397ec8 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes JMP 890f .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000ef39f0 6 bytes {JMP QWORD [RIP+0x66c640]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 146d .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000022439f0 6 bytes {JMP QWORD [RIP+0x7c640]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes JMP 630105 .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\System32\spoolsv.exe[1316] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000021839f0 6 bytes JMP 1000100 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe8a5720 6 bytes {JMP QWORD [RIP+0x22a910]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x3adc18]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3c8c80]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x4044ec]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3e23b8]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d939f0 6 bytes {JMP QWORD [RIP+0xcc640]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 0 .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\taskhost.exe[2032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes JMP 38dc50 .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes JMP a8 .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes JMP 9 .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes JMP 38bf30 .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\Dwm.exe[1412] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes JMP ff169388 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes JMP 52f15c89 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes JMP 9834061 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes JMP fda8c6b8 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd0239f0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes JMP 43d0435 .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\System32\rundll32.exe[2288] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x3ede04]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x40dc18]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x428c80]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0x3a7dd8]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes JMP cccccccc .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0x3c69cc]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x4644ec]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x4423b8]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[2640] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x3ede04]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x40dc18]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x428c80]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes JMP c1f8d687 .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0x387cb8]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0x3c69cc]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x4644ec]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x4423b8]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\System32\igfxpers.exe[2828] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes JMP 0 .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\igfxsrvc.exe[2876] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\igfxext.exe[2944] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\wbem\unsecapp.exe[2268] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes {JMP QWORD [RIP+0x3c23b8]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes {JMP QWORD [RIP+0x38dc18]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes {JMP QWORD [RIP+0x3a8c80]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes {JMP QWORD [RIP+0x3e44ec]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2536] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes [42, 5B, 06] .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\SearchIndexer.exe[2580] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2804] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2804] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2804] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077252fd0 6 bytes {JMP QWORD [RIP+0x8ded060]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007727ffa0 6 bytes {JMP QWORD [RIP+0x8da0090]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077280170 6 bytes {JMP QWORD [RIP+0x935fec0]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772801e0 6 bytes {JMP QWORD [RIP+0x943fe50]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077280220 6 bytes {JMP QWORD [RIP+0x93ffe10]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772802c0 6 bytes {JMP QWORD [RIP+0x945fd70]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077280350 6 bytes {JMP QWORD [RIP+0x93dfce0]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077280390 6 bytes {JMP QWORD [RIP+0x92dfca0]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772803e0 6 bytes {JMP QWORD [RIP+0x92ffc50]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077280400 6 bytes {JMP QWORD [RIP+0x941fc30]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772805f0 6 bytes {JMP QWORD [RIP+0x94dfa40]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077280700 6 bytes {JMP QWORD [RIP+0x92bf930]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772807d0 6 bytes {JMP QWORD [RIP+0x937f860]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077280920 6 bytes {JMP QWORD [RIP+0x947f710]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077280930 6 bytes {JMP QWORD [RIP+0x94bf700]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077280ca0 6 bytes {JMP QWORD [RIP+0x939f390]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077280d30 6 bytes {JMP QWORD [RIP+0x949f300]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772815a0 6 bytes {JMP QWORD [RIP+0x93bea90]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077281620 6 bytes {JMP QWORD [RIP+0x931ea10]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772816a0 6 bytes {JMP QWORD [RIP+0x933e990]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007711b3d0 6 bytes {JMP QWORD [RIP+0x8f84c60]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\kernel32.dll!CreateProcessW 000000007712e7b0 6 bytes {JMP QWORD [RIP+0x8f31880]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771a8730 6 bytes {JMP QWORD [RIP+0x8ed7900]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd2aa4c8 3 bytes CALL 9b30000 .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b4920 5 bytes [FF, 25, 10, B7, 0A] .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe74222c 6 bytes {JMP QWORD [RIP+0x32de04]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe742418 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe7473b0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe748258 6 bytes {JMP QWORD [RIP+0xd7dd8]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe748378 6 bytes {JMP QWORD [RIP+0xb7cb8]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe749664 6 bytes {JMP QWORD [RIP+0xf69cc]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe74bb44 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe74dc78 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe9da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefe9ffa50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3112] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcfd2370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcfd2598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\System32\svchost.exe[3112] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000d939f0 6 bytes {JMP QWORD [RIP+0x7c640]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007742f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007742f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007742fc50 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007742fc54 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007742fd04 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007742fd08 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007742fd68 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007742fd6c 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007742fe60 3 bytes JMP 70df000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007742fe64 2 bytes JMP 70df000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007742ff44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007742ff48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007742ffa4 3 bytes JMP 7103000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007742ffa8 2 bytes JMP 7103000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077430024 3 bytes JMP 7100000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077430028 2 bytes JMP 7100000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077430054 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077430058 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077430358 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007743035c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774304f0 3 bytes JMP 7106000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774304f4 2 bytes JMP 7106000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077430634 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077430638 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007743082c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077430830 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077430844 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077430848 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077430d94 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077430d98 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077430e78 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077430e7c 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077431b84 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077431b88 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077431c54 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077431c58 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077431d2c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077431d30 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077451067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b9102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b91062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076bb126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000753aeae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 00000000753b1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075818b7c 6 bytes JMP 7160000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075818e6e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007581cd35 6 bytes JMP 714e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007581d0da 6 bytes JMP 7148000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007581d277 3 bytes JMP 7115000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007581d27b 2 bytes JMP 7115000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007581f0e6 6 bytes JMP 7166000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075820f14 6 bytes JMP 715a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075820f9f 3 bytes JMP 710f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075820fa3 2 bytes JMP 710f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075822902 6 bytes JMP 712d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000758235fb 3 bytes JMP 7121000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000758235ff 2 bytes JMP 7121000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075823cbf 6 bytes JMP 715d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075823d76 6 bytes JMP 7157000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetParent 0000000075823f14 3 bytes JMP 7124000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075823f18 2 bytes JMP 7124000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075823f54 6 bytes JMP 710c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075824858 6 bytes JMP 712a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007582492a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007582492e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075828364 6 bytes JMP 716c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007582b7e6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007582b7ea 2 bytes JMP 711e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007582c991 6 bytes JMP 7139000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758306b3 6 bytes JMP 7169000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007583090f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075832959 6 bytes JMP 7136000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007583eef4 6 bytes JMP 7151000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007583ef4a 6 bytes JMP 7163000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007583f422 6 bytes JMP 714b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007583f9b0 6 bytes JMP 7112000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075840f60 6 bytes JMP 713c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendInput 000000007584195e 3 bytes JMP 7133000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075841962 2 bytes JMP 7133000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075859f3b 6 bytes JMP 7118000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000758615ef 6 bytes JMP 7109000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!mouse_event 000000007587040b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!keybd_event 000000007587044f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075876e8c 6 bytes JMP 7145000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075876eed 6 bytes JMP 713f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075877f67 3 bytes JMP 711b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075877f6b 2 bytes JMP 711b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075878a7b 3 bytes JMP 7127000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075878a7f 2 bytes JMP 7127000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e95876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e995f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9b8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9ba55 6 bytes JMP 7175000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c74f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4636 6 bytes JMP 7178000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000765b14fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000765b42a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074fa11a0 6 bytes JMP 7181000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756a1401 2 bytes JMP 76baeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756a1419 2 bytes JMP 76bbb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756a1431 2 bytes JMP 76c38609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756a144a 2 bytes CALL 76b91dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756a14dd 2 bytes JMP 76c37efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756a14f5 2 bytes JMP 76c380d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756a150d 2 bytes JMP 76c37df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756a1525 2 bytes JMP 76c381c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756a153d 2 bytes JMP 76baf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756a1555 2 bytes JMP 76bbb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756a156d 2 bytes JMP 76c386c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756a1585 2 bytes JMP 76c38222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756a159d 2 bytes JMP 76c37db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756a15b5 2 bytes JMP 76baf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756a15cd 2 bytes JMP 76bbb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756a16b2 2 bytes JMP 76c38584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756a16bd 2 bytes JMP 76c37d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006e2411a8 2 bytes [24, 6E] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000006e24127d 2 bytes CALL 76b914dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006e2413a8 2 bytes [24, 6E] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006e241422 2 bytes [24, 6E] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[852] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006e241498 2 bytes [24, 6E] .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007742f980 3 bytes JMP 71af000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007742f984 2 bytes JMP 71af000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007742fc50 3 bytes JMP 70f7000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007742fc54 2 bytes JMP 70f7000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007742fd04 3 bytes JMP 70e2000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007742fd08 2 bytes JMP 70e2000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007742fd68 3 bytes JMP 70e8000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007742fd6c 2 bytes JMP 70e8000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007742fe60 3 bytes JMP 70df000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007742fe64 2 bytes JMP 70df000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007742ff44 3 bytes JMP 70eb000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007742ff48 2 bytes JMP 70eb000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007742ffa4 3 bytes JMP 7103000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007742ffa8 2 bytes JMP 7103000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077430024 3 bytes JMP 7100000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077430028 2 bytes JMP 7100000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077430054 3 bytes JMP 70e5000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077430058 2 bytes JMP 70e5000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077430358 3 bytes JMP 70d3000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007743035c 2 bytes JMP 70d3000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774304f0 3 bytes JMP 7106000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774304f4 2 bytes JMP 7106000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077430634 3 bytes JMP 70f4000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077430638 2 bytes JMP 70f4000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007743082c 3 bytes JMP 70dc000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077430830 2 bytes JMP 70dc000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077430844 3 bytes JMP 70d6000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077430848 2 bytes JMP 70d6000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077430d94 3 bytes JMP 70f1000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077430d98 2 bytes JMP 70f1000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077430e78 3 bytes JMP 70d9000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077430e7c 2 bytes JMP 70d9000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077431b84 3 bytes JMP 70ee000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077431b88 2 bytes JMP 70ee000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077431c54 3 bytes JMP 70fd000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077431c58 2 bytes JMP 70fd000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077431d2c 3 bytes JMP 70fa000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077431d30 2 bytes JMP 70fa000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077451067 6 bytes JMP 71a8000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b9102d 6 bytes JMP 719c000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b91062 6 bytes JMP 7199000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076bb126f 6 bytes JMP 7190000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000753aeae7 6 bytes JMP 719f000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 00000000753b1d26 4 bytes CALL 71ac0000 .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075818b7c 6 bytes JMP 7160000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075818e6e 6 bytes JMP 7154000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendMessageW 000000007581cd35 6 bytes JMP 714e000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 000000007581d0da 6 bytes JMP 7148000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007581d277 3 bytes JMP 7115000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007581d27b 2 bytes JMP 7115000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007581f0e6 6 bytes JMP 7166000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075820f14 6 bytes JMP 715a000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075820f9f 3 bytes JMP 710f000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075820fa3 2 bytes JMP 710f000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075822902 6 bytes JMP 712d000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000758235fb 3 bytes JMP 7121000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000758235ff 2 bytes JMP 7121000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075823cbf 6 bytes JMP 715d000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075823d76 6 bytes JMP 7157000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetParent 0000000075823f14 3 bytes JMP 7124000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075823f18 2 bytes JMP 7124000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075823f54 6 bytes JMP 710c000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075824858 6 bytes JMP 712a000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007582492a 3 bytes JMP 7130000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007582492e 2 bytes JMP 7130000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075828364 6 bytes JMP 716c000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007582b7e6 3 bytes JMP 711e000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007582b7ea 2 bytes JMP 711e000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007582c991 6 bytes JMP 7139000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758306b3 6 bytes JMP 7169000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 000000007583090f 6 bytes JMP 7142000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075832959 6 bytes JMP 7136000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007583eef4 6 bytes JMP 7151000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SetWindowLongA 000000007583ef4a 6 bytes JMP 7163000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007583f422 6 bytes JMP 714b000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 000000007583f9b0 6 bytes JMP 7112000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075840f60 6 bytes JMP 713c000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendInput 000000007584195e 3 bytes JMP 7133000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075841962 2 bytes JMP 7133000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075859f3b 6 bytes JMP 7118000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000758615ef 6 bytes JMP 7109000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!mouse_event 000000007587040b 6 bytes JMP 716f000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!keybd_event 000000007587044f 6 bytes JMP 7172000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075876e8c 6 bytes JMP 7145000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075876eed 6 bytes JMP 713f000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075877f67 3 bytes JMP 711b000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075877f6b 2 bytes JMP 711b000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075878a7b 3 bytes JMP 7127000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075878a7f 2 bytes JMP 7127000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076e95876 6 bytes JMP 7184000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076e95ea6 6 bytes JMP 717e000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076e995f4 6 bytes JMP 718d000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076e9b8d0 6 bytes JMP 7187000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076e9ba55 6 bytes JMP 7175000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076e9c74f 6 bytes JMP 717b000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076e9e45d 6 bytes JMP 718a000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076ec4636 6 bytes JMP 7178000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000765b14fd 6 bytes JMP 7196000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000765b42a1 6 bytes JMP 7193000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074fa11a0 6 bytes JMP 7181000a .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756a1401 2 bytes JMP 76baeb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756a1419 2 bytes JMP 76bbb513 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756a1431 2 bytes JMP 76c38609 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756a144a 2 bytes CALL 76b91dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756a14dd 2 bytes JMP 76c37efe C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756a14f5 2 bytes JMP 76c380d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756a150d 2 bytes JMP 76c37df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756a1525 2 bytes JMP 76c381c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756a153d 2 bytes JMP 76baf088 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756a1555 2 bytes JMP 76bbb885 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756a156d 2 bytes JMP 76c386c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756a1585 2 bytes JMP 76c38222 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756a159d 2 bytes JMP 76c37db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756a15b5 2 bytes JMP 76baf121 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756a15cd 2 bytes JMP 76bbb29f C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756a16b2 2 bytes JMP 76c38584 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomek\Downloads\xzqfg0jj.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756a16bd 2 bytes JMP 76c37d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [784:4248] 000007fefc3f8e80 Thread C:\Windows\System32\spoolsv.exe [1316:1540] 000007fef81d10c8 Thread C:\Windows\System32\spoolsv.exe [1316:1048] 000007fef80a6144 Thread C:\Windows\System32\spoolsv.exe [1316:1200] 000007fef93f5fd0 Thread C:\Windows\System32\spoolsv.exe [1316:1168] 000007fef8083438 Thread C:\Windows\System32\spoolsv.exe [1316:1944] 000007fef93f63ec Thread C:\Windows\System32\spoolsv.exe [1316:2060] 000007fef8275e5c Thread C:\Windows\system32\svchost.exe [1344:1448] 000007fef98a3060 Thread C:\Windows\system32\svchost.exe [1344:1940] 000007fef98a5570 Thread C:\Windows\system32\svchost.exe [1344:376] 000007fef8392888 Thread C:\Windows\system32\svchost.exe [1344:1392] 000007fef81e2940 Thread C:\Windows\system32\svchost.exe [1344:1236] 000007fef8392a40 Thread C:\Windows\system32\svchost.exe [1428:3276] 000007fef172f130 Thread C:\Windows\system32\svchost.exe [1428:3284] 000007fef1724734 Thread C:\Windows\system32\svchost.exe [1428:3320] 000007fef0fb5b84 Thread C:\Windows\system32\svchost.exe [1428:708] 000007fef1724734 Thread C:\Windows\system32\taskhost.exe [2032:1160] 000007fef89a2740 Thread C:\Windows\system32\taskhost.exe [2032:1232] 000007fef8991f38 Thread C:\Windows\system32\taskhost.exe [2032:992] 000007fefeec9274 Thread C:\Windows\system32\taskhost.exe [2032:2056] 000007fefad71010 Thread C:\Windows\system32\Dwm.exe [1412:3048] 000007fef79aabf0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2804:2068] 000007fefba62a74 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----