GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-19 19:18:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: tj8xsmr4.exe; Driver: C:\Users\luq92\AppData\Local\Temp\uwddqkow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002db9000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002db902f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077731360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077731560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774c98e0 6 bytes {JMP QWORD [RIP+0x8bd6750]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774e0650 6 bytes {JMP QWORD [RIP+0x8b7f9e0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007755acf0 6 bytes {JMP QWORD [RIP+0x8b25340]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[592] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd923e80 6 bytes JMP 0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd2a50a0 6 bytes JMP 9b3 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000775e6ef0 6 bytes {JMP QWORD [RIP+0x8df9140]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000775e8184 6 bytes {JMP QWORD [RIP+0x8ed7eac]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetParent 00000000775e8530 6 bytes {JMP QWORD [RIP+0x8e17b00]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000775e9bcc 6 bytes {JMP QWORD [RIP+0x8b76464]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostMessageA 00000000775ea404 6 bytes {JMP QWORD [RIP+0x8bb5c2c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!EnableWindow 00000000775eaaa0 6 bytes {JMP QWORD [RIP+0x8f15590]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!MoveWindow 00000000775eaad0 6 bytes {JMP QWORD [RIP+0x8e35560]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000775ec720 6 bytes {JMP QWORD [RIP+0x8dd3910]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000775ecd50 6 bytes {JMP QWORD [RIP+0x8eb32e0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000775ed2b0 6 bytes {JMP QWORD [RIP+0x8bf2d80]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageA 00000000775ed338 6 bytes {JMP QWORD [RIP+0x8c32cf8]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000775edc40 6 bytes {JMP QWORD [RIP+0x8d123f0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000775ef510 6 bytes {JMP QWORD [RIP+0x8ef0b20]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000775ef874 6 bytes {JMP QWORD [RIP+0x8b307bc]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000775efac0 6 bytes {JMP QWORD [RIP+0x8c90570]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000775f0b74 6 bytes {JMP QWORD [RIP+0x8c0f4bc]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000775f33b0 6 bytes {JMP QWORD [RIP+0x8b8cc80]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000775f4d4d 5 bytes {JMP QWORD [RIP+0x8b4b2e4]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetKeyState 00000000775f5010 6 bytes {JMP QWORD [RIP+0x8dab020]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000775f5438 6 bytes {JMP QWORD [RIP+0x8ccabf8]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageW 00000000775f6b50 6 bytes {JMP QWORD [RIP+0x8c494e0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostMessageW 00000000775f76e4 6 bytes {JMP QWORD [RIP+0x8bc894c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000775fdd90 6 bytes {JMP QWORD [RIP+0x8d422a0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetClipboardData 00000000775fe874 6 bytes {JMP QWORD [RIP+0x8e817bc]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000775ff780 6 bytes {JMP QWORD [RIP+0x8e408b0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000776028e4 6 bytes {JMP QWORD [RIP+0x8cdd74c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!mouse_event 0000000077603894 6 bytes {JMP QWORD [RIP+0x8adc79c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077608a10 6 bytes {JMP QWORD [RIP+0x8d77620]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077608be0 6 bytes {JMP QWORD [RIP+0x8c57450]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077608c20 6 bytes {JMP QWORD [RIP+0x8af7410]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendInput 0000000077608cd0 6 bytes {JMP QWORD [RIP+0x8d57360]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!BlockInput 000000007760ad60 6 bytes {JMP QWORD [RIP+0x8e552d0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000776314e0 6 bytes {JMP QWORD [RIP+0x8eeeb50]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!keybd_event 00000000776545a4 6 bytes {JMP QWORD [RIP+0x8a6ba8c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007765cc08 6 bytes {JMP QWORD [RIP+0x8cc3428]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007765df18 6 bytes {JMP QWORD [RIP+0x8c42118]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4622cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4624c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff465bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff468398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4689d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!GetPixel 000007feff469344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff46b9f8 6 bytes JMP 264638 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff46c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4622cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4624c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff465bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff468398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4689d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!GetPixel 000007feff469344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff46b9f8 6 bytes {JMP QWORD [RIP+0x264638]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff46c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda5a6f0 6 bytes {JMP QWORD [RIP+0x155940]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda80c10 6 bytes {JMP QWORD [RIP+0x14f420]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774c98e0 6 bytes {JMP QWORD [RIP+0x8bd6750]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774e0650 6 bytes {JMP QWORD [RIP+0x8b7f9e0]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007755acf0 6 bytes {JMP QWORD [RIP+0x8b25340]} .text C:\Windows\system32\svchost.exe[828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[828] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd923e80 6 bytes {JMP QWORD [RIP+0x2cc1b0]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\System32\svchost.exe[380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes JMP 893cb08 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes JMP 88bf0e8 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes JMP 5702ba1 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes JMP 8f4e9e0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes JMP 50006 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes JMP 8f2e8b0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes JMP 4b177a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes JMP 4b0fc70 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes JMP 4b0fc70 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes JMP 11581 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes JMP 77f29a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes JMP 7708080 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes JMP 5541229 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes JMP 4000a .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes JMP 6e0065 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes JMP 730072 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes JMP 340036 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes JMP 3e0022 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes JMP 200022 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes JMP 57002d .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes JMP 69006c .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes JMP 310032 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes JMP 200022 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes JMP 610076 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes JMP 610065 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes JMP 650072 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes JMP 6c0020 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes JMP 61002f .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd923e80 6 bytes {JMP QWORD [RIP+0x2cc1b0]} .text C:\Windows\system32\svchost.exe[708] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000e650a0 6 bytes {JMP QWORD [RIP+0x4baf90]} .text C:\Windows\system32\AUDIODG.EXE[1108] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[1108] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes JMP 0 .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes [B5, 6F, 06] .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\system32\SearchIndexer.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4622cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4624c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff465bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff468398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4689d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!GetPixel 000007feff469344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff46b9f8 6 bytes {JMP QWORD [RIP+0x584638]} .text C:\Windows\system32\Dwm.exe[3776] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff46c8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703b10 6 bytes {JMP QWORD [RIP+0x893c520]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777313a0 6 bytes {JMP QWORD [RIP+0x88eec90]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077731570 6 bytes {JMP QWORD [RIP+0x8eaeac0]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777315e0 6 bytes {JMP QWORD [RIP+0x8f8ea50]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077731620 6 bytes {JMP QWORD [RIP+0x8f4ea10]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777316c0 6 bytes {JMP QWORD [RIP+0x8fae970]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077731750 6 bytes {JMP QWORD [RIP+0x8f2e8e0]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077731790 6 bytes {JMP QWORD [RIP+0x8e2e8a0]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777317e0 6 bytes {JMP QWORD [RIP+0x8e4e850]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077731800 6 bytes {JMP QWORD [RIP+0x8f6e830]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777319f0 6 bytes {JMP QWORD [RIP+0x902e640]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077731b00 6 bytes {JMP QWORD [RIP+0x8e0e530]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077731bd0 6 bytes {JMP QWORD [RIP+0x8ece460]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077731d20 6 bytes {JMP QWORD [RIP+0x8fce310]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077731d30 6 bytes {JMP QWORD [RIP+0x900e300]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777320a0 6 bytes {JMP QWORD [RIP+0x8eedf90]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077732130 6 bytes {JMP QWORD [RIP+0x8fedf00]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777329a0 6 bytes {JMP QWORD [RIP+0x8f0d690]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077732a20 6 bytes {JMP QWORD [RIP+0x8e6d610]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077732aa0 6 bytes {JMP QWORD [RIP+0x8e8d590]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4622cc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4624c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff465bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff468398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4689d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!GetPixel 000007feff469344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff46b9f8 6 bytes {JMP QWORD [RIP+0x584638]} .text C:\Windows\Explorer.EXE[3964] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff46c8e0 6 bytes JMP 0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778df9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778df9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778dfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778dfcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778dfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778dfd68 2 bytes [E1, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778dfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778dfdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778dfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778dfec4 2 bytes [DE, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778dffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778dffa8 2 bytes [EA, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778e0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778e0008 2 bytes [02, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778e0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778e0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778e00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778e00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778e03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778e03bc 2 bytes [D2, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778e0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778e0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778e0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778e0698 2 bytes [F3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778e088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778e0890 2 bytes [DB, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778e08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778e08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778e0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778e0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778e0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778e0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778e1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778e1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778e1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778e1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778e1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778e1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077901287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076a0103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076a01072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4444] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000076a2c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778df9e0 3 bytes JMP 71af000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778df9e4 2 bytes JMP 71af000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778dfcb0 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778dfcb4 2 bytes [F6, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778dfd64 3 bytes JMP 70e2000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778dfd68 2 bytes JMP 70e2000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778dfdc8 3 bytes JMP 70e8000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778dfdcc 2 bytes JMP 70e8000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778dfec0 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778dfec4 2 bytes [DE, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778dffa4 3 bytes JMP 70eb000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778dffa8 2 bytes JMP 70eb000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778e0004 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778e0008 2 bytes [02, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778e0084 3 bytes JMP 7100000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778e0088 2 bytes JMP 7100000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778e00b4 3 bytes JMP 70e5000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778e00b8 2 bytes JMP 70e5000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778e03b8 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778e03bc 2 bytes [D2, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778e0550 3 bytes JMP 7106000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778e0554 2 bytes JMP 7106000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778e0694 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778e0698 2 bytes [F3, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778e088c 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778e0890 2 bytes [DB, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778e08a4 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778e08a8 2 bytes [D5, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778e0df4 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778e0df8 2 bytes [F0, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778e0ed8 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778e0edc 2 bytes [D8, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778e1be4 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778e1be8 2 bytes [ED, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778e1cb4 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778e1cb8 2 bytes [FC, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778e1d8c 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778e1d90 2 bytes [F9, 70] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077901287 6 bytes JMP 71a8000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076a0103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076a01072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076a2c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076dcf784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076dd2c9e 4 bytes CALL 71ac0000 .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075628332 6 bytes JMP 7160000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075628bff 6 bytes JMP 7154000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756290d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075629679 6 bytes JMP 714e000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756297d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007562efc9 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007562efcd 2 bytes [14, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756312a5 6 bytes JMP 715a000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007563291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetParent 0000000075632d64 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075632d68 2 bytes [23, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075632da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075633698 3 bytes JMP 7121000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007563369c 2 bytes JMP 7121000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075633baa 6 bytes JMP 715d000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075633c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075636110 6 bytes JMP 7163000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007563612e 6 bytes JMP 7151000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075636c30 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075637668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756376e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007563781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007563c4b6 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007563c4ba 2 bytes [1D, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007564c112 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007564d0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007564eb96 6 bytes JMP 712a000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007564ec68 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007564ec6c 2 bytes [2F, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendInput 000000007564ff4a 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007564ff4e 2 bytes [32, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075669f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075671497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!mouse_event 000000007568027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!keybd_event 00000000756802bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075686cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075686d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075687dd7 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075687ddb 2 bytes [1A, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000756888eb 3 bytes [FF, 25, 1E] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000756888ef 2 bytes [26, 71] .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755958b3 6 bytes JMP 7184000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075595ea6 6 bytes JMP 717e000a .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075597bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007559b895 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007559c332 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007559cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007559e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000755c4857 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Users\luq92\Desktop\tj8xsmr4.exe[4732] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076e85429 6 bytes {JMP QWORD [RIP+0x7192001e]} ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\WUDFHost.exe [1392:1424] 000007fef9e2e8ec Thread C:\Windows\System32\WUDFHost.exe [1392:1428] 000007fef9be5eb0 Thread C:\Windows\system32\svchost.exe [1960:2004] 000007fef88c3438 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3576:3584] 0000000077913e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3576:3592] 00000000772b7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3576:3596] 0000000073cd0cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3576:3628] 0000000077912e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3576:3448] 0000000077913e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3576:3432] 000000007573d864 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab314a1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@ReadyBootPlanAge 2 Reg HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@LastBootPlanUserTime ??r?, ?lis ?19 ?14, 04:33:42????????????E?????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab314a1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----