GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-09 11:50:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.AX00 298,09GB Running: gmer.exe; Driver: C:\Users\Ania\AppData\Local\Temp\uxdyrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\services.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\services.exe[632] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\windows\system32\services.exe[632] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\windows\system32\services.exe[632] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\windows\system32\services.exe[632] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\windows\system32\services.exe[632] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\windows\system32\services.exe[632] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\windows\system32\services.exe[632] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\services.exe[632] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\services.exe[632] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff263440 6 bytes {JMP QWORD [RIP+0x1ccbf0]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\lsass.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\lsass.exe[640] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\lsass.exe[640] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\lsm.exe[656] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\lsm.exe[656] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\nvvsvc.exe[852] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x1018b90]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\svchost.exe[884] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\svchost.exe[884] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\svchost.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\svchost.exe[1020] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\svchost.exe[1020] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\System32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\System32\svchost.exe[420] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\System32\svchost.exe[420] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\System32\svchost.exe[420] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes JMP 2b002b .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes JMP 9b4ef08 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes JMP 336801 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes JMP 1014c68 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes JMP 4 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes JMP 8bcfaa0 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes JMP 8c79d59 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes JMP 5c0047 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes JMP 8a01 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes JMP 2c81 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes JMP 1d001d .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes JMP 635081 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes JMP 190019 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes JMP 64b481 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes JMP 8fb89c0 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes JMP d2e81 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes JMP 8acdc80 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes JMP 9cb801 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes JMP 8f0e3f0 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes JMP 909d4d2 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes JMP 199801 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes JMP 56005f .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes JMP 1014030 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes JMP 8c79d59 .text C:\windows\System32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes JMP 8693c51 .text C:\windows\System32\svchost.exe[564] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes JMP b0e9951 .text C:\windows\System32\svchost.exe[564] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes JMP 88f5e70 .text C:\windows\System32\svchost.exe[564] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes JMP 10071 .text C:\windows\System32\svchost.exe[564] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes JMP 32c481 .text C:\windows\System32\svchost.exe[564] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes JMP 8bb1c59 .text C:\windows\System32\svchost.exe[564] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes JMP 8693bb9 .text C:\windows\System32\svchost.exe[564] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\System32\svchost.exe[564] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\System32\svchost.exe[564] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\svchost.exe[1028] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\svchost.exe[1028] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\svchost.exe[1028] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\svchost.exe[1028] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes JMP 208d10 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes CALL b03 .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff263440 6 bytes {JMP QWORD [RIP+0x1ccbf0]} .text C:\windows\system32\svchost.exe[1080] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\svchost.exe[1444] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\svchost.exe[1444] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\svchost.exe[1444] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\svchost.exe[1444] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff263440 6 bytes {JMP QWORD [RIP+0x1ccbf0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 0A] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1540] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0E] .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\System32\svchost.exe[1600] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\System32\svchost.exe[1600] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\System32\svchost.exe[1600] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\System32\svchost.exe[1600] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\taskhost.exe[2612] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\taskhost.exe[2612] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\taskeng.exe[2652] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\taskeng.exe[2652] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes JMP 0 .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes JMP fe5e00fc .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes JMP 0 .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes JMP 2ed .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\Explorer.EXE[2768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 0A] .text C:\windows\Explorer.EXE[2768] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0E] .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!DeleteDC 000007feff6f22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!BitBlt 000007feff6f24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!MaskBlt 000007feff6f5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!CreateDCW 000007feff6f8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!CreateDCA 000007feff6f89bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!GetPixel 000007feff6f9320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!StretchBlt 000007feff6fb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\GDI32.dll!PlgBlt 000007feff6fc8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!RegisterRawInputDevices 00000000775e6ef0 6 bytes {JMP QWORD [RIP+0x8e59140]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SystemParametersInfoA 00000000775e8184 6 bytes {JMP QWORD [RIP+0x8f37eac]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SetParent 00000000775e8530 6 bytes {JMP QWORD [RIP+0x8e77b00]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SetWindowLongA 00000000775e9bcc 6 bytes {JMP QWORD [RIP+0x8bd6464]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!PostMessageA 00000000775ea404 6 bytes {JMP QWORD [RIP+0x8c15c2c]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!EnableWindow 00000000775eaaa0 6 bytes {JMP QWORD [RIP+0x8f75590]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!MoveWindow 00000000775eaad0 6 bytes {JMP QWORD [RIP+0x8e95560]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!GetAsyncKeyState 00000000775ec720 6 bytes {JMP QWORD [RIP+0x8e33910]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!RegisterHotKey 00000000775ecd50 6 bytes {JMP QWORD [RIP+0x8f132e0]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!PostThreadMessageA 00000000775ed2b0 6 bytes {JMP QWORD [RIP+0x8c52d80]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendMessageA 00000000775ed338 6 bytes {JMP QWORD [RIP+0x8c92cf8]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendNotifyMessageW 00000000775edc40 6 bytes {JMP QWORD [RIP+0x8d723f0]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SystemParametersInfoW 00000000775ef510 6 bytes {JMP QWORD [RIP+0x8f50b20]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SetWindowsHookExW 00000000775ef874 6 bytes {JMP QWORD [RIP+0x8b907bc]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendMessageTimeoutW 00000000775efac0 6 bytes {JMP QWORD [RIP+0x8cf0570]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!PostThreadMessageW 00000000775f0b74 6 bytes {JMP QWORD [RIP+0x8c6f4bc]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SetWindowLongW 00000000775f33b0 6 bytes {JMP QWORD [RIP+0x8becc80]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SetWinEventHook + 1 00000000775f4d4d 5 bytes {JMP QWORD [RIP+0x8bab2e4]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!GetKeyState 00000000775f5010 6 bytes {JMP QWORD [RIP+0x8e0b020]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendMessageCallbackW 00000000775f5438 6 bytes {JMP QWORD [RIP+0x8d2abf8]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendMessageW 00000000775f6b50 6 bytes {JMP QWORD [RIP+0x8ca94e0]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!PostMessageW 00000000775f76e4 6 bytes {JMP QWORD [RIP+0x8c2894c]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendDlgItemMessageW 00000000775fdd90 6 bytes {JMP QWORD [RIP+0x8da22a0]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!GetClipboardData 00000000775fe874 6 bytes {JMP QWORD [RIP+0x8ee17bc]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SetClipboardViewer 00000000775ff780 6 bytes {JMP QWORD [RIP+0x8ea08b0]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendNotifyMessageA 00000000776028e4 6 bytes {JMP QWORD [RIP+0x8d3d74c]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!mouse_event 0000000077603894 6 bytes {JMP QWORD [RIP+0x8b3c79c]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!GetKeyboardState 0000000077608a10 6 bytes {JMP QWORD [RIP+0x8dd7620]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000077608be0 6 bytes {JMP QWORD [RIP+0x8cb7450]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077608c20 6 bytes {JMP QWORD [RIP+0x8b57410]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendInput 0000000077608cd0 6 bytes {JMP QWORD [RIP+0x8db7360]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!BlockInput 000000007760ad60 6 bytes {JMP QWORD [RIP+0x8eb52d0]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!ExitWindowsEx 00000000776314e0 6 bytes {JMP QWORD [RIP+0x8f4eb50]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!keybd_event 00000000776545a4 6 bytes {JMP QWORD [RIP+0x8acba8c]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007765cc08 6 bytes {JMP QWORD [RIP+0x8d23428]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007765df18 6 bytes {JMP QWORD [RIP+0x8ca2118]} .text C:\windows\Explorer.EXE[2768] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x1018b90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[824] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[824] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[824] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[824] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[824] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[824] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2556] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[2244] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000778dfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778dfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000778dfb74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000778dfb78 2 bytes [C0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778dfcfc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778dfd00 2 bytes [E1, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778dfdb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778dfdb4 2 bytes [CC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778dfe14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778dfe18 2 bytes [D2, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778dff0c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778dff10 2 bytes [C9, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778dffc0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000778dffc4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778dfff0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778dfff4 2 bytes [D5, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778e0050 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778e0054 2 bytes [ED, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778e00d0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778e00d4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778e0100 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778e0104 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778e0404 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778e0408 2 bytes [BA, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000778e041c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000778e0420 2 bytes [FF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778e059c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778e05a0 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778e06e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778e06e4 2 bytes [DE, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000778e0740 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000778e0744 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778e07e8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000778e07ec 2 bytes [FC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000778e0830 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000778e0834 2 bytes [F0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778e08c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000778e08c4 2 bytes [F3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778e08d8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778e08dc 2 bytes [C6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778e08f0 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778e08f4 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778e0e40 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778e0e44 2 bytes [DB, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778e0f24 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778e0f28 2 bytes [C3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778e1c30 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778e1c34 2 bytes [D8, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778e1d00 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778e1d04 2 bytes [E7, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778e1dd8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778e1ddc 2 bytes [E4, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077903bfb 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000773d3bab 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000773d3baf 2 bytes [9B, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000773d9aa4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 00000000773e3b62 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000773eccd1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007743dc3e 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007743dce1 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000768a8332 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000768a8bff 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768a90d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendMessageW 00000000768a9679 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768a97d2 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000768aee09 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000768aefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000768aefcd 2 bytes [11, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!PostMessageW 00000000768b12a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!GetKeyState 00000000768b291f 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetParent 00000000768b2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000768b2d68 2 bytes [20, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!EnableWindow 00000000768b2da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!MoveWindow 00000000768b3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000768b369c 2 bytes [1D, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!PostMessageA 00000000768b3baa 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000768b3c61 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000768b6110 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendMessageA 00000000768b612e 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000768b6c30 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768b7603 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000768b7668 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768b76e0 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000768b781f 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768b835c 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000768bc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000768bc4ba 2 bytes [1A, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768cc112 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768cd0f5 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768ceb96 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000768cec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768cec6c 2 bytes [2C, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendInput 00000000768cff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000768cff4e 2 bytes [2F, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000768e9f1d 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000768f1497 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!mouse_event 000000007690027b 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!keybd_event 00000000769002bf 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076906cfc 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076906d5d 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!BlockInput 0000000076907dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076907ddb 2 bytes [17, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3516] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769088ef 2 bytes [23, 71] .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\SearchIndexer.exe[3812] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3632] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3632] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3632] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[980] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\svchost.exe[980] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\svchost.exe[980] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x893cdd0]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x88f2390]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x91322c0]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x8fd21c0]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x90b2150]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x9072110]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x90d2070]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8ed2000]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x9051fe0]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x8f51fa0]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x8f71f50]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x9091f30]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x9171d40]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8e91d30]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x8e71c30]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8ff1b60]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8ef1b20]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8eb1ab0]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8f31a80]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8f11a20]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x90f1a10]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9151a00]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9011690]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x9111600]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9030d90]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x8f90d10]} .text C:\windows\System32\svchost.exe[2076] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 6 bytes {JMP QWORD [RIP+0x8fb0c90]} .text C:\windows\System32\svchost.exe[2076] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\System32\svchost.exe[2076] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\System32\svchost.exe[2076] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007772dd30 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000778dfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778dfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000778dfb74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000778dfb78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778dfcfc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778dfd00 2 bytes [E1, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778dfdb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778dfdb4 2 bytes [CC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778dfe14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778dfe18 2 bytes [D2, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778dff0c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778dff10 2 bytes [C9, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778dffc0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000778dffc4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778dfff0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778dfff4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778e0050 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778e0054 2 bytes [ED, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778e00d0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778e00d4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778e0100 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778e0104 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778e0404 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778e0408 2 bytes [BA, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000778e041c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000778e0420 2 bytes [FF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778e059c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778e05a0 2 bytes [02, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778e06e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778e06e4 2 bytes [DE, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000778e0740 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000778e0744 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778e07e8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000778e07ec 2 bytes [FC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000778e0830 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000778e0834 2 bytes [F0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778e08c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000778e08c4 2 bytes [F3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778e08d8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778e08dc 2 bytes [C6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778e08f0 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778e08f4 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778e0e40 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778e0e44 2 bytes [DB, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778e0f24 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778e0f28 2 bytes [C3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778e1c30 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778e1c34 2 bytes [D8, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778e1d00 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778e1d04 2 bytes [E7, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778e1dd8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778e1ddc 2 bytes [E4, 70] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077903bfb 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000773d3bab 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000773d3baf 2 bytes [9B, 71] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000773d9aa4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 00000000773e3b62 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000773eccd1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007743dc3e 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007743dce1 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007736f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5096] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077372ca4 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x8d1cdd0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtReplyPort 000000007772dc70 6 bytes {JMP QWORD [RIP+0x89f23c0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x8cd2390]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x98f22c0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 000000007772ddd0 6 bytes {JMP QWORD [RIP+0x89d2260]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007772dde0 6 bytes {JMP QWORD [RIP+0x8c32250]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x97e21c0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x8c12150]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x8bb2110]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtFsControlFile 000000007772df40 6 bytes {JMP QWORD [RIP+0x8c520f0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007772dfb0 6 bytes {JMP QWORD [RIP+0x8a72080]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x9892070]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8a52000]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x8b91fe0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x9761fa0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x9781f50]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x8bf1f30]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x8991d40]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8971d30]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x89b1c30]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8b51b60]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8a91b20]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8a11ab0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 000000007772e590 6 bytes {JMP QWORD [RIP+0x8bd1aa0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8b11a80]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8ad1a20]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x98b1a10]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9911a00]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 000000007772e690 6 bytes {JMP QWORD [RIP+0x8b719a0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9811690]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x98d1600]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007772ea90 6 bytes {JMP QWORD [RIP+0x8c915a0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007772eaa0 6 bytes {JMP QWORD [RIP+0x8c71590]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007772ead0 6 bytes {JMP QWORD [RIP+0x8ab1560]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007772eb40 6 bytes {JMP QWORD [RIP+0x8a314f0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007772eb90 6 bytes {JMP QWORD [RIP+0x8af14a0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007772f0a0 6 bytes {JMP QWORD [RIP+0x8b30f90]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9830d90]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007772f2c0 6 bytes {JMP QWORD [RIP+0x8cb0d70]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x97a0d10]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 4 bytes [FF, 25, 90, 0C] .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 5 000000007772f3a5 1 byte [09] .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000774c62d0 6 bytes {JMP QWORD [RIP+0x8b59d60]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x93ae7c0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!RegOpenKeyExW 00000000774d3a00 6 bytes {JMP QWORD [RIP+0x8bac630]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x9302470]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000077541750 6 bytes {JMP QWORD [RIP+0x8afe8e0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x92d0b30]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x9310b00]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x92b0930]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x92eab60]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd7aaec1 5 bytes {JMP QWORD [RIP+0xb5170]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes CALL b03 .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff35687c 6 bytes {JMP QWORD [RIP+0x5597b4]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff358e30 6 bytes {JMP QWORD [RIP+0x5d7200]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff35995c 6 bytes {JMP QWORD [RIP+0x5b66d4]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff3599e4 6 bytes {JMP QWORD [RIP+0xf664c]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff359ac8 6 bytes {JMP QWORD [RIP+0xd6568]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff35a51c 6 bytes {JMP QWORD [RIP+0x175b14]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff35a530 6 bytes {JMP QWORD [RIP+0x155b00]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff35a5b0 5 bytes [FF, 25, 80, 5A, 11] .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff35a5c4 6 bytes {JMP QWORD [RIP+0x135a6c]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff35bb28 6 bytes {JMP QWORD [RIP+0x574508]} .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff35bb3c 3 bytes [FF, 25, F4] .text C:\windows\system32\svchost.exe[3640] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff35bb40 2 bytes [59, 00] .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff263440 6 bytes {JMP QWORD [RIP+0x6ecbf0]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!DeleteDC 000007feff6f22cc 6 bytes {JMP QWORD [RIP+0x2edd64]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!BitBlt 000007feff6f24c0 6 bytes {JMP QWORD [RIP+0x91db70]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!MaskBlt 000007feff6f5bf0 6 bytes {JMP QWORD [RIP+0x93a440]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!CreateDCW 000007feff6f8398 6 bytes {JMP QWORD [RIP+0x2a7c98]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!CreateDCA 000007feff6f89bc 6 bytes {JMP QWORD [RIP+0x287674]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!GetPixel 000007feff6f9320 6 bytes {JMP QWORD [RIP+0x2c6d10]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!StretchBlt 000007feff6fb9e8 6 bytes {JMP QWORD [RIP+0x974648]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\GDI32.dll!PlgBlt 000007feff6fc8f0 6 bytes {JMP QWORD [RIP+0x953740]} .text C:\windows\system32\svchost.exe[3640] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077703260 6 bytes {JMP QWORD [RIP+0x8d1cdd0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtReplyPort 000000007772dc70 6 bytes {JMP QWORD [RIP+0x89f23c0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtClose 000000007772dca0 6 bytes {JMP QWORD [RIP+0x8cd2390]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007772dd70 6 bytes {JMP QWORD [RIP+0x98f22c0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 000000007772ddd0 6 bytes {JMP QWORD [RIP+0x89d2260]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007772dde0 6 bytes {JMP QWORD [RIP+0x8c32250]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007772de70 6 bytes {JMP QWORD [RIP+0x97e21c0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007772dee0 6 bytes {JMP QWORD [RIP+0x8c12150]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007772df20 6 bytes {JMP QWORD [RIP+0x8bb2110]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtFsControlFile 000000007772df40 6 bytes {JMP QWORD [RIP+0x8c520f0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007772dfb0 6 bytes {JMP QWORD [RIP+0x8a72080]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007772dfc0 6 bytes {JMP QWORD [RIP+0x9892070]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007772e030 6 bytes {JMP QWORD [RIP+0x8a52000]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007772e050 6 bytes {JMP QWORD [RIP+0x8b91fe0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007772e090 6 bytes {JMP QWORD [RIP+0x9761fa0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007772e0e0 6 bytes {JMP QWORD [RIP+0x9781f50]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007772e100 6 bytes {JMP QWORD [RIP+0x8bf1f30]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007772e2f0 6 bytes {JMP QWORD [RIP+0x8991d40]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007772e300 6 bytes {JMP QWORD [RIP+0x8971d30]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007772e400 6 bytes {JMP QWORD [RIP+0x89b1c30]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007772e4d0 6 bytes {JMP QWORD [RIP+0x8b51b60]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007772e510 6 bytes {JMP QWORD [RIP+0x8a91b20]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007772e580 6 bytes {JMP QWORD [RIP+0x8a11ab0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 000000007772e590 6 bytes {JMP QWORD [RIP+0x8bd1aa0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007772e5b0 6 bytes {JMP QWORD [RIP+0x8b11a80]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007772e610 6 bytes {JMP QWORD [RIP+0x8ad1a20]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007772e620 6 bytes {JMP QWORD [RIP+0x98b1a10]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007772e630 6 bytes {JMP QWORD [RIP+0x9911a00]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 000000007772e690 6 bytes {JMP QWORD [RIP+0x8b719a0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007772e9a0 6 bytes {JMP QWORD [RIP+0x9811690]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007772ea30 6 bytes {JMP QWORD [RIP+0x98d1600]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007772ea90 6 bytes {JMP QWORD [RIP+0x8c915a0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007772eaa0 6 bytes {JMP QWORD [RIP+0x8c71590]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007772ead0 6 bytes {JMP QWORD [RIP+0x8ab1560]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007772eb40 6 bytes {JMP QWORD [RIP+0x8a314f0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007772eb90 6 bytes {JMP QWORD [RIP+0x8af14a0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 000000007772f0a0 6 bytes {JMP QWORD [RIP+0x8b30f90]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007772f2a0 6 bytes {JMP QWORD [RIP+0x9830d90]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemTime 000000007772f2c0 6 bytes {JMP QWORD [RIP+0x8cb0d70]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007772f320 6 bytes {JMP QWORD [RIP+0x97a0d10]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007772f3a0 4 bytes [FF, 25, 90, 0C] .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 5 000000007772f3a5 1 byte [09] .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000774c62d0 6 bytes {JMP QWORD [RIP+0x8b59d60]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x93ae7c0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!RegOpenKeyExW 00000000774d3a00 6 bytes {JMP QWORD [RIP+0x8bac630]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x9302470]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000077541750 6 bytes {JMP QWORD [RIP+0x8afe8e0]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x92d0b30]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x9310b00]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x92b0930]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x92eab60]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd7aaec1 5 bytes {JMP QWORD [RIP+0xb5170]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes CALL b03 .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff35687c 6 bytes {JMP QWORD [RIP+0x5597b4]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff358e30 6 bytes {JMP QWORD [RIP+0x5d7200]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff35995c 6 bytes {JMP QWORD [RIP+0x5b66d4]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff3599e4 6 bytes {JMP QWORD [RIP+0xf664c]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff359ac8 6 bytes {JMP QWORD [RIP+0xd6568]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff35a51c 6 bytes {JMP QWORD [RIP+0x175b14]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff35a530 6 bytes {JMP QWORD [RIP+0x155b00]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff35a5b0 5 bytes [FF, 25, 80, 5A, 11] .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff35a5c4 6 bytes {JMP QWORD [RIP+0x135a6c]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff35bb28 6 bytes {JMP QWORD [RIP+0x574508]} .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff35bb3c 3 bytes [FF, 25, F4] .text C:\windows\system32\svchost.exe[1856] C:\windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff35bb40 2 bytes [59, 00] .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!DeleteDC 000007feff6f22cc 6 bytes {JMP QWORD [RIP+0x2edd64]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!BitBlt 000007feff6f24c0 6 bytes {JMP QWORD [RIP+0x91db70]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!MaskBlt 000007feff6f5bf0 6 bytes {JMP QWORD [RIP+0x93a440]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!CreateDCW 000007feff6f8398 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!CreateDCA 000007feff6f89bc 6 bytes JMP 65006d .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!GetPixel 000007feff6f9320 6 bytes {JMP QWORD [RIP+0x2c6d10]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!StretchBlt 000007feff6fb9e8 6 bytes {JMP QWORD [RIP+0x974648]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\GDI32.dll!PlgBlt 000007feff6fc8f0 6 bytes {JMP QWORD [RIP+0x953740]} .text C:\windows\system32\svchost.exe[1856] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\kernel32.dll!CopyFileExW 00000000774d1870 6 bytes {JMP QWORD [RIP+0x8c2e7c0]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000774ddbc0 6 bytes {JMP QWORD [RIP+0x8b82470]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 000000007754f500 6 bytes {JMP QWORD [RIP+0x8b50b30]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\kernel32.dll!MoveFileTransactedW 000000007754f530 6 bytes {JMP QWORD [RIP+0x8b90b00]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\kernel32.dll!MoveFileWithProgressA 000000007754f700 6 bytes {JMP QWORD [RIP+0x8b30930]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\kernel32.dll!MoveFileTransactedA 00000000775554d0 6 bytes {JMP QWORD [RIP+0x8b6ab60]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd7ab022 3 bytes [E8, 4F, 06] .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!DeleteDC 000007feff6f22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!BitBlt 000007feff6f24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!MaskBlt 000007feff6f5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!CreateDCW 000007feff6f8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!CreateDCA 000007feff6f89bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!GetPixel 000007feff6f9320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!StretchBlt 000007feff6fb9e8 6 bytes JMP 2bc5 .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\GDI32.dll!PlgBlt 000007feff6fc8f0 6 bytes JMP 452 .text C:\windows\system32\wbem\wmiprvse.exe[5032] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdfc74a0 6 bytes JMP 0 .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtClose 00000000778dfa2c 3 bytes JMP 71af000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778dfa30 2 bytes JMP 71af000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000778dfb74 3 bytes JMP 70c1000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000778dfb78 2 bytes JMP 70c1000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778dfcfc 3 bytes JMP 70e2000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778dfd00 2 bytes JMP 70e2000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778dfdb0 3 bytes JMP 70cd000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778dfdb4 2 bytes JMP 70cd000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778dfe14 3 bytes JMP 70d3000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778dfe18 2 bytes JMP 70d3000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778dff0c 3 bytes JMP 70ca000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778dff10 2 bytes JMP 70ca000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778dffc0 3 bytes JMP 70fa000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000778dffc4 2 bytes JMP 70fa000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778dfff0 3 bytes JMP 70d6000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778dfff4 2 bytes JMP 70d6000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778e0050 3 bytes JMP 70ee000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778e0054 2 bytes JMP 70ee000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778e00d0 3 bytes JMP 70eb000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778e00d4 2 bytes JMP 70eb000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778e0100 3 bytes JMP 70d0000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778e0104 2 bytes JMP 70d0000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778e0404 3 bytes JMP 70bb000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778e0408 2 bytes JMP 70bb000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000778e041c 3 bytes JMP 7100000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000778e0420 2 bytes JMP 7100000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778e059c 3 bytes JMP 7103000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778e05a0 2 bytes JMP 7103000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778e06e0 3 bytes JMP 70df000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778e06e4 2 bytes JMP 70df000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000778e0740 3 bytes JMP 70f7000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000778e0744 2 bytes JMP 70f7000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778e07e8 3 bytes JMP 70fd000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000778e07ec 2 bytes JMP 70fd000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreatePort 00000000778e0830 3 bytes JMP 70f1000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000778e0834 2 bytes JMP 70f1000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778e08c0 3 bytes JMP 70f4000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000778e08c4 2 bytes JMP 70f4000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778e08d8 3 bytes JMP 70c7000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778e08dc 2 bytes JMP 70c7000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778e08f0 3 bytes JMP 70be000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778e08f4 2 bytes JMP 70be000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778e0e40 3 bytes JMP 70dc000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778e0e44 2 bytes JMP 70dc000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778e0f24 3 bytes JMP 70c4000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778e0f28 2 bytes JMP 70c4000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778e1c30 3 bytes JMP 70d9000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778e1c34 2 bytes JMP 70d9000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778e1d00 3 bytes JMP 70e8000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778e1d04 2 bytes JMP 70e8000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778e1dd8 3 bytes JMP 70e5000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778e1ddc 2 bytes JMP 70e5000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077903bfb 6 bytes JMP 71a8000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000773d3bab 3 bytes JMP 719c000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000773d3baf 2 bytes JMP 719c000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000773d9aa4 6 bytes JMP 7187000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!CopyFileExW 00000000773e3b62 6 bytes JMP 717e000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000773eccd1 6 bytes JMP 718a000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007743dc3e 6 bytes JMP 7184000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007743dce1 6 bytes JMP 7181000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007736f784 6 bytes JMP 719f000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077372ca4 4 bytes CALL 71ac0000 .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000768a8332 6 bytes JMP 715d000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostThreadMessageW 00000000768a8bff 6 bytes JMP 7151000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768a90d3 6 bytes JMP 710c000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageW 00000000768a9679 6 bytes JMP 714b000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768a97d2 6 bytes JMP 7145000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000768aee09 6 bytes JMP 7163000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!RegisterHotKey 00000000768aefc9 3 bytes JMP 7112000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000768aefcd 2 bytes JMP 7112000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostMessageW 00000000768b12a5 6 bytes JMP 7157000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetKeyState 00000000768b291f 6 bytes JMP 712a000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetParent 00000000768b2d64 3 bytes JMP 7121000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000768b2d68 2 bytes JMP 7121000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!EnableWindow 00000000768b2da4 6 bytes JMP 7109000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!MoveWindow 00000000768b3698 3 bytes JMP 711e000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000768b369c 2 bytes JMP 711e000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostMessageA 00000000768b3baa 6 bytes JMP 715a000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000768b3c61 6 bytes JMP 7154000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000768b6110 6 bytes JMP 7160000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageA 00000000768b612e 6 bytes JMP 714e000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000768b6c30 6 bytes JMP 710f000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768b7603 6 bytes JMP 7166000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000768b7668 6 bytes JMP 7139000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768b76e0 6 bytes JMP 713f000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000768b781f 6 bytes JMP 7148000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768b835c 6 bytes JMP 7169000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000768bc4b6 3 bytes JMP 711b000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000768bc4ba 2 bytes JMP 711b000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768cc112 6 bytes JMP 7136000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768cd0f5 6 bytes JMP 7133000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768ceb96 6 bytes JMP 7127000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000768cec68 3 bytes JMP 712d000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768cec6c 2 bytes JMP 712d000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendInput 00000000768cff4a 3 bytes JMP 7130000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000768cff4e 2 bytes JMP 7130000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000768e9f1d 6 bytes JMP 7115000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000768f1497 6 bytes JMP 7106000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!mouse_event 000000007690027b 6 bytes JMP 716c000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!keybd_event 00000000769002bf 6 bytes JMP 716f000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076906cfc 6 bytes JMP 7142000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076906d5d 6 bytes JMP 713c000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!BlockInput 0000000076907dd7 3 bytes JMP 7118000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!BlockInput + 4 0000000076907ddb 2 bytes JMP 7118000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769088eb 3 bytes JMP 7124000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769088ef 2 bytes JMP 7124000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000772058b3 6 bytes JMP 718d000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!BitBlt 0000000077205ea5 6 bytes JMP 717b000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!CreateDCA 0000000077207ba4 6 bytes JMP 7196000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!GetPixel 000000007720b986 6 bytes JMP 7190000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!StretchBlt 000000007720ba5f 6 bytes JMP 7172000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!MaskBlt 000000007720cc01 6 bytes JMP 7178000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!CreateDCW 000000007720ea03 6 bytes JMP 7193000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000077234969 6 bytes JMP 7175000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075569d0b 6 bytes JMP 7199000a .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075961401 2 bytes JMP 773eb21b C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075961419 2 bytes JMP 773eb346 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075961431 2 bytes JMP 77468f29 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007596144a 2 bytes CALL 773c489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759614dd 2 bytes JMP 77468822 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759614f5 2 bytes JMP 774689f8 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007596150d 2 bytes JMP 77468718 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075961525 2 bytes JMP 77468ae2 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007596153d 2 bytes JMP 773dfca8 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075961555 2 bytes JMP 773e68ef C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007596156d 2 bytes JMP 77468fe3 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075961585 2 bytes JMP 77468b42 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007596159d 2 bytes JMP 774686dc C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759615b5 2 bytes JMP 773dfd41 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759615cd 2 bytes JMP 773eb2dc C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759616b2 2 bytes JMP 77468ea4 C:\windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5140] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759616bd 2 bytes JMP 77468671 C:\windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Process C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe (*** suspicious ***) @ C:\Users\Ania\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe [5140](2014-01-28 16:36:04) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6864 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6982 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe520a48 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619b28359 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6864 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6982 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe520a48 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619b28359 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----