GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-04 22:08:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: 2v7d8gkc.exe; Driver: C:\Users\luq92\AppData\Local\Temp\uwddqkow.sys ---- User code sections - GMER 2.1 ---- .text ... * 2 .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007798db80 6 bytes {JMP QWORD [RIP+0x86d24b0]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Program Files (x86)\Brownie\brstsw64.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000077093bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000077093bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cb1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c8fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c8fec4 2 bytes [D8, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c903b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c903bc 2 bytes [C9, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c903d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c903d4 2 bytes [0E, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c90550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c90554 2 bytes [11, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c8f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c8f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c90694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c90698 2 bytes [ED, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c8ff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c8ff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c906f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c906f8 2 bytes [05, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c900b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c900b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c9079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c907a0 2 bytes [0B, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c907e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c907e8 2 bytes [FF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c8ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c8ffa8 2 bytes [E4, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c90874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c90878 2 bytes [02, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c9088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c90890 2 bytes [D5, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c90004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c90008 2 bytes [FC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c908a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c908a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c90df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c90df8 2 bytes [EA, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c90ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c90edc 2 bytes [D2, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c8fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c8fd68 2 bytes [DB, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c8fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c8fdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c8fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c8fb2c 2 bytes [CF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c91be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c91be8 2 bytes [E7, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c91cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c91cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c91d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c91d90 2 bytes [F3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c8fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c8fcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c90084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c90088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000077093bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000077093bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cb1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c8fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c8fec4 2 bytes [D8, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c903b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c903bc 2 bytes [C9, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c903d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c903d4 2 bytes [0E, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c90550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c90554 2 bytes [11, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c8f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c8f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c90694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c90698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c8ff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c8ff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c906f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c906f8 2 bytes [05, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c900b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c900b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c9079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c907a0 2 bytes [0B, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c907e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c907e8 2 bytes [FF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c8ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c8ffa8 2 bytes [E4, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c90874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c90878 2 bytes [02, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c9088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c90890 2 bytes [D5, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c90004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c90008 2 bytes [FC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c908a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c908a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c90df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c90df8 2 bytes [EA, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c90ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c90edc 2 bytes [D2, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c8fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c8fd68 2 bytes [DB, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c8fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c8fdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c8fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c8fb2c 2 bytes [CF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c91be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c91be8 2 bytes [E7, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c91cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c91cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c91d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c91d90 2 bytes [F3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c8fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c8fcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c90084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c90088 2 bytes JMP 70fa000a .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ae1430 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ae1430 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 8 bytes JMP 000000016fff0110 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000768d5ea6 6 bytes JMP 718a000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000768d7bcc 6 bytes JMP 7199000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000768de743 6 bytes JMP 7196000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000768d58b3 6 bytes JMP 7190000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000768dcbfb 6 bytes JMP 7193000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000768dc332 6 bytes JMP 7187000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076904857 6 bytes JMP 7184000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000768db895 6 bytes JMP 7181000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bbb 3 bytes JMP 719c000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000077093bbf 2 bytes JMP 719c000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076842c9e 4 bytes CALL 71ac0000 .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007683f784 6 bytes JMP 719f000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cb1287 6 bytes JMP 71a8000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c8fec0 3 bytes JMP 70d9000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c8fec4 2 bytes JMP 70d9000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c903b8 3 bytes JMP 70ca000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c903bc 2 bytes JMP 70ca000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c903d0 3 bytes JMP 710f000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077c903d4 2 bytes JMP 710f000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c90550 3 bytes JMP 7112000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c90554 2 bytes JMP 7112000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c8f9e0 3 bytes JMP 71af000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c8f9e4 2 bytes JMP 71af000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c90694 3 bytes JMP 70ee000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c90698 2 bytes JMP 70ee000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077c8ff74 3 bytes JMP 7109000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077c8ff78 2 bytes JMP 7109000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077c906f4 3 bytes JMP 7106000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077c906f8 2 bytes JMP 7106000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c900b4 3 bytes JMP 70df000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c900b8 2 bytes JMP 70df000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c9079c 3 bytes JMP 710c000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077c907a0 2 bytes JMP 710c000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077c907e4 3 bytes JMP 7100000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077c907e8 2 bytes JMP 7100000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c8ffa4 3 bytes JMP 70e5000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c8ffa8 2 bytes JMP 70e5000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077c90874 3 bytes JMP 7103000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077c90878 2 bytes JMP 7103000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c9088c 3 bytes JMP 70d6000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c90890 2 bytes JMP 70d6000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c90004 3 bytes JMP 70fd000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c90008 2 bytes JMP 70fd000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c908a4 3 bytes JMP 70cd000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c908a8 2 bytes JMP 70cd000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c90df4 3 bytes JMP 70eb000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c90df8 2 bytes JMP 70eb000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c90ed8 3 bytes JMP 70d3000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c90edc 2 bytes JMP 70d3000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c8fd64 3 bytes JMP 70dc000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c8fd68 2 bytes JMP 70dc000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c8fdc8 3 bytes JMP 70e2000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c8fdcc 2 bytes JMP 70e2000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077c8fb28 3 bytes JMP 70d0000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077c8fb2c 2 bytes JMP 70d0000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c91be4 3 bytes JMP 70e8000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c91be8 2 bytes JMP 70e8000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c91cb4 3 bytes JMP 70f7000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c91cb8 2 bytes JMP 70f7000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c91d8c 3 bytes JMP 70f4000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c91d90 2 bytes JMP 70f4000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c8fcb0 3 bytes JMP 70f1000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c8fcb4 2 bytes JMP 70f1000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c90084 3 bytes JMP 70fa000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c90088 2 bytes JMP 70fa000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775814bb 2 bytes [58, 77] .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077581465 2 bytes [58, 77] .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007563124e 6 bytes JMP 718d000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!BlockInput 00000000759b7dd7 3 bytes JMP 7127000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000759b7ddb 2 bytes JMP 7127000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075962da4 6 bytes JMP 7118000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000759a1497 6 bytes JMP 7115000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007597eb96 6 bytes JMP 7136000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075999f1d 6 bytes JMP 7124000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007597ec68 3 bytes JMP 713c000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007597ec6c 2 bytes JMP 713c000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007596291f 6 bytes JMP 7139000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!keybd_event 00000000759b02bf 6 bytes JMP 717e000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!mouse_event 00000000759b027b 6 bytes JMP 717b000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075963698 3 bytes JMP 712d000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007596369c 2 bytes JMP 712d000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075963baa 6 bytes JMP 7169000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759612a5 6 bytes JMP 7166000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075963c61 6 bytes JMP 7163000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075958bff 6 bytes JMP 7160000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007595efc9 3 bytes JMP 7121000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007595efcd 2 bytes JMP 7121000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000759b88eb 3 bytes JMP 7133000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000759b88ef 2 bytes JMP 7133000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007597c112 6 bytes JMP 7145000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007597d0f5 6 bytes JMP 7142000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendInput 000000007597ff4a 3 bytes JMP 713f000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007597ff4e 2 bytes JMP 713f000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007596612e 6 bytes JMP 715d000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000759b6cfc 6 bytes JMP 7151000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759676e0 6 bytes JMP 714e000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007596781f 6 bytes JMP 7157000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759597d2 6 bytes JMP 7154000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075959679 6 bytes JMP 715a000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000759b6d5d 6 bytes JMP 714b000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075967668 6 bytes JMP 7148000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007596c4b6 3 bytes JMP 712a000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007596c4ba 2 bytes JMP 712a000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetParent 0000000075962d64 3 bytes JMP 7130000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075962d68 2 bytes JMP 7130000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075966110 6 bytes JMP 716f000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075958332 6 bytes JMP 716c000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007596835c 6 bytes JMP 7178000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075967603 6 bytes JMP 7175000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007595ee09 6 bytes JMP 7172000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075966c30 6 bytes JMP 711e000a .text C:\Users\luq92\Desktop\2v7d8gkc.exe[1460] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759590d3 6 bytes JMP 711b000a .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!BitBlt 000007feff0824c0 6 bytes {JMP QWORD [RIP+0x26db70]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff0889d8 6 bytes {JMP QWORD [RIP+0x1e7658]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff088398 6 bytes {JMP QWORD [RIP+0x207c98]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff0822cc 6 bytes {JMP QWORD [RIP+0x24dd64]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!GetPixel 000007feff089344 6 bytes {JMP QWORD [RIP+0x226cec]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff085bf0 6 bytes {JMP QWORD [RIP+0x28a440]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff08c8e0 6 bytes {JMP QWORD [RIP+0x2a3750]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff08b9f8 6 bytes {JMP QWORD [RIP+0x2c4638]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007798db80 6 bytes {JMP QWORD [RIP+0x86d24b0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!BitBlt 000007feff0824c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff0889d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff088398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff0822cc 6 bytes JMP 0 .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!GetPixel 000007feff089344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff085bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff08c8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff08b9f8 6 bytes JMP 2441a0 .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007798db80 6 bytes {JMP QWORD [RIP+0x86d24b0]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 77000026 .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Windows\splwow64.exe[5788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Windows\splwow64.exe[5788] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000020050a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd978ef1 5 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x896c520]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x941e970]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x85de640]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x85be630]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x85fe530]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x891ec90]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x879e460]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x869e900]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x86de420]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x883e830]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x865e3b0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077ae1c90 6 bytes {JMP QWORD [RIP+0x881e3a0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x875e380]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x87de8e0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x871e320]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x943e310]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x92ee8a0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x949e300]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000077ae1d90 6 bytes {JMP QWORD [RIP+0x87be2a0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000077ae1640 6 bytes {JMP QWORD [RIP+0x889e9f0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x939df90]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x945df00]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ae2190 6 bytes {JMP QWORD [RIP+0x88ddea0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ae21a0 6 bytes {JMP QWORD [RIP+0x88bde90]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ae16b0 6 bytes {JMP QWORD [RIP+0x86be980]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ae21d0 6 bytes {JMP QWORD [RIP+0x86fde60]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x885ea50]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ae2240 6 bytes {JMP QWORD [RIP+0x867ddf0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x87fea10]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ae2290 6 bytes {JMP QWORD [RIP+0x873dda0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 0000000077ae14e0 6 bytes {JMP QWORD [RIP+0x887eb50]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000077ae1370 6 bytes {JMP QWORD [RIP+0x863ecc0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077ae14d0 6 bytes {JMP QWORD [RIP+0x861eb60]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000077ae27a0 6 bytes {JMP QWORD [RIP+0x877d890]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x947ebc0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x93bd690]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077ae29c0 6 bytes {JMP QWORD [RIP+0x88fd670]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x932d610]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x934d590]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x936eac0]} .text C:\Windows\system32\DllHost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x930e850]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!BitBlt 000007feff0824c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff0889d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff088398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff0822cc 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!GetPixel 000007feff089344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff085bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff08c8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff08b9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[1616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!BitBlt 000007feff0824c0 6 bytes {JMP QWORD [RIP+0x26db70]} .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff0889d8 6 bytes {JMP QWORD [RIP+0x1e7658]} .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff088398 6 bytes {JMP QWORD [RIP+0x207c98]} .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff0822cc 6 bytes {JMP QWORD [RIP+0x24dd64]} .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!GetPixel 000007feff089344 6 bytes {JMP QWORD [RIP+0x226cec]} .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff085bf0 6 bytes {JMP QWORD [RIP+0x28a440]} .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff08c8e0 6 bytes JMP 650066 .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff08b9f8 6 bytes {JMP QWORD [RIP+0x2c4638]} .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxpers.exe[2300] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef83e80 6 bytes {JMP QWORD [RIP+0x18c1b0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011550a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x896c520]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x941e970]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x85de640]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x85be630]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x85fe530]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x891ec90]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x879e460]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x869e900]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x86de420]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x883e830]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x865e3b0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077ae1c90 6 bytes {JMP QWORD [RIP+0x881e3a0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x875e380]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x87de8e0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x871e320]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x943e310]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x92ee8a0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x949e300]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000077ae1d90 6 bytes {JMP QWORD [RIP+0x87be2a0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000077ae1640 6 bytes {JMP QWORD [RIP+0x889e9f0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x939df90]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x945df00]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ae2190 6 bytes {JMP QWORD [RIP+0x88ddea0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ae21a0 6 bytes {JMP QWORD [RIP+0x88bde90]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ae16b0 6 bytes {JMP QWORD [RIP+0x86be980]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ae21d0 6 bytes {JMP QWORD [RIP+0x86fde60]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x885ea50]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ae2240 6 bytes {JMP QWORD [RIP+0x867ddf0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x87fea10]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ae2290 6 bytes {JMP QWORD [RIP+0x873dda0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 0000000077ae14e0 6 bytes {JMP QWORD [RIP+0x887eb50]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000077ae1370 6 bytes {JMP QWORD [RIP+0x863ecc0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077ae14d0 6 bytes {JMP QWORD [RIP+0x861eb60]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000077ae27a0 6 bytes {JMP QWORD [RIP+0x877d890]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x947ebc0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x93bd690]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077ae29c0 6 bytes {JMP QWORD [RIP+0x88fd670]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x932d610]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x934d590]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x936eac0]} .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x930e850]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes JMP 8d77600 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes JMP 866801 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes JMP 85d77f1 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes JMP 47f7483f .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes JMP 40cb4362 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes JMP d3802d8 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes JMP 87fbf99 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes JMP 6d585e1 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes JMP 26572676 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes JMP 88e0e10 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes JMP 6961e60 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes JMP 60f4fb0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes JMP 200 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes JMP 98256d1 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes JMP 41bc4238 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes JMP 9ecf269 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes JMP 8081318 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes JMP 8c99c50 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes JMP 9ecfa21 .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007798db80 6 bytes {JMP QWORD [RIP+0x86d24b0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Windows\system32\svchost.exe[6132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007798db80 6 bytes {JMP QWORD [RIP+0x8e524b0]} .text C:\Windows\system32\svchost.exe[6132] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000779f16e0 6 bytes {JMP QWORD [RIP+0x864e950]} .text C:\Windows\system32\svchost.exe[6132] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000779762e0 6 bytes {JMP QWORD [RIP+0x86a9d50]} .text C:\Windows\system32\svchost.exe[6132] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077983a20 6 bytes {JMP QWORD [RIP+0x86fc610]} .text C:\Windows\system32\svchost.exe[6132] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000018e50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ab3b10 6 bytes {JMP QWORD [RIP+0x858c520]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077ae16c0 6 bytes {JMP QWORD [RIP+0x8c7e970]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077ae19f0 6 bytes {JMP QWORD [RIP+0x8d1e640]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077ae1a00 6 bytes {JMP QWORD [RIP+0x8a3e630]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ae1b00 6 bytes {JMP QWORD [RIP+0x8a1e530]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ae13a0 6 bytes {JMP QWORD [RIP+0x853ec90]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077ae1bd0 6 bytes {JMP QWORD [RIP+0x8b9e460]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ae1730 6 bytes {JMP QWORD [RIP+0x8a7e900]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ae1c10 6 bytes {JMP QWORD [RIP+0x8a9e420]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ae1800 6 bytes {JMP QWORD [RIP+0x8c3e830]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ae1c80 6 bytes {JMP QWORD [RIP+0x8a5e3b0]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077ae1cb0 6 bytes {JMP QWORD [RIP+0x8ade380]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ae1750 6 bytes {JMP QWORD [RIP+0x8bfe8e0]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ae1d10 6 bytes {JMP QWORD [RIP+0x8abe320]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae1d20 6 bytes {JMP QWORD [RIP+0x8c9e310]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ae1790 6 bytes {JMP QWORD [RIP+0x8afe8a0]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ae1d30 6 bytes {JMP QWORD [RIP+0x8cfe300]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ae20a0 6 bytes {JMP QWORD [RIP+0x8bbdf90]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077ae2130 6 bytes {JMP QWORD [RIP+0x8cbdf00]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ae15e0 6 bytes {JMP QWORD [RIP+0x8c5ea50]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ae1620 6 bytes {JMP QWORD [RIP+0x8c1ea10]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077ae1470 6 bytes {JMP QWORD [RIP+0x8cdebc0]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ae29a0 6 bytes {JMP QWORD [RIP+0x8bdd690]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ae2a20 6 bytes {JMP QWORD [RIP+0x8b3d610]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ae2aa0 6 bytes {JMP QWORD [RIP+0x8b5d590]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ae1570 6 bytes {JMP QWORD [RIP+0x8b7eac0]} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ae17e0 6 bytes {JMP QWORD [RIP+0x8b1e850]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!BitBlt 000007feff0824c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff0889d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff088398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff0822cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!GetPixel 000007feff089344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff085bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff08c8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff08b9f8 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007798db80 6 bytes {JMP QWORD [RIP+0x86d24b0]} .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\System32\WUDFHost.exe[5180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff80002ff9000 46 bytes [01, 20, FC, 50, 01, 30, FC, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 812 fffff80002ff916c 53 bytes [01, D0, D5, 50, 01, E0, 01, ...] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab314a1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab314a1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----