GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-11 18:32:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GJ00 298,09GB Running: nifr86lu.exe; Driver: C:\Users\dom\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778a13c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a15c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[788] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[788] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000777423d0 6 bytes {JMP QWORD [RIP+0x89bdc60]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007774e750 6 bytes {JMP QWORD [RIP+0x89118e0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000777bf6c0 6 bytes {JMP QWORD [RIP+0x88e0970]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000777bf6f0 6 bytes {JMP QWORD [RIP+0x8920940]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000777bf8c0 6 bytes {JMP QWORD [RIP+0x88c0770]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000777c5690 6 bytes {JMP QWORD [RIP+0x88fa9a0]} .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes {JMP QWORD [RIP+0x2d8ba0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes JMP 515c929 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes JMP 5166709 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes JMP 71880 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes JMP 22cc80 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes JMP a6a5038 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes JMP 8c5c519 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes JMP a000e .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes JMP 8edc79a .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes JMP 84cad31 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes JMP 557e .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes JMP 8e148fa .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes JMP 3486680 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes JMP 515d0e1 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes JMP b1b84ba .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes JMP 10001 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes JMP 515d9c9 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes JMP 8e3df00 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes JMP 60017 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes JMP 100010 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes JMP 6a34949 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes JMP 140014 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes JMP 60006 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes JMP 8e23730 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes JMP 71ec0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000777423d0 6 bytes JMP c4c60a0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007774e750 6 bytes JMP 23881 .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000777bf6c0 6 bytes JMP c9f2761 .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000777bf6f0 6 bytes JMP cc7e681 .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000777bf8c0 6 bytes JMP 70007 .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000777c5690 6 bytes JMP 57004f .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes {JMP QWORD [RIP+0x2d8ba0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000777423d0 6 bytes {JMP QWORD [RIP+0x89bdc60]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007774e750 6 bytes {JMP QWORD [RIP+0x89118e0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000777bf6c0 6 bytes {JMP QWORD [RIP+0x88e0970]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000777bf6f0 6 bytes {JMP QWORD [RIP+0x8920940]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000777bf8c0 6 bytes {JMP QWORD [RIP+0x88c0770]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000777c5690 6 bytes {JMP QWORD [RIP+0x88fa9a0]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff266bd0 6 bytes {JMP QWORD [RIP+0x219460]} .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes {JMP QWORD [RIP+0x2d8ba0]} .text C:\Windows\system32\taskhost.exe[1448] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\taskhost.exe[1448] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\taskhost.exe[1448] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes {JMP QWORD [RIP+0x2d8ba0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000777423d0 6 bytes {JMP QWORD [RIP+0x89bdc60]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007774e750 6 bytes {JMP QWORD [RIP+0x89118e0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000777bf6c0 6 bytes {JMP QWORD [RIP+0x88e0970]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000777bf6f0 6 bytes {JMP QWORD [RIP+0x8920940]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000777bf8c0 6 bytes {JMP QWORD [RIP+0x88c0770]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000777c5690 6 bytes {JMP QWORD [RIP+0x88fa9a0]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes CALL f3004700 .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffac22cc 6 bytes {JMP QWORD [RIP+0x11dd64]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!BitBlt 000007feffac24c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffac5be0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffac8398 6 bytes {JMP QWORD [RIP+0xd7c98]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffac89c8 6 bytes {JMP QWORD [RIP+0xb7668]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!GetPixel 000007feffac9344 6 bytes {JMP QWORD [RIP+0xf6cec]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffacb9e8 6 bytes JMP ff32f450 .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffad5410 6 bytes {JMP QWORD [RIP+0x16ac20]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdcc8f6c 5 bytes [FF, 25, C4, 70, DF] .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdee19b8 6 bytes {JMP QWORD [RIP+0xbbe678]} .text C:\Windows\Explorer.EXE[1488] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes {JMP QWORD [RIP+0x5c8ba0]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a4f9d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a4f9d4 2 bytes [AE, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a4fb18 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a4fb1c 2 bytes [BA, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a4fca0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a4fca4 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a4fd54 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a4fd58 2 bytes [C6, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a4fdb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a4fdbc 2 bytes [CC, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a4feb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a4feb4 2 bytes [C3, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a4ff64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a4ff68 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a4ff94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a4ff98 2 bytes [CF, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a4fff4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a4fff8 2 bytes [E7, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a50074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a50078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a500a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a500a8 2 bytes [C9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a503a8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a503ac 2 bytes [B4, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077a503c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077a503c4 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a50540 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a50544 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a50684 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a50688 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077a506e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077a506e8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a5078c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077a50790 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077a507d4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077a507d8 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077a50864 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077a50868 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5087c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a50880 2 bytes [C0, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a50894 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a50898 2 bytes [B7, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a50de4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a50de8 2 bytes [D5, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a50ec8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a50ecc 2 bytes [BD, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a51bd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a51bd8 2 bytes [D2, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a51ca4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a51ca8 2 bytes [E1, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a51d7c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a51d80 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a711d7 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075633bdb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075633bdf 2 bytes [9B, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075639ab4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075643b7a 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007564ccd1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007569d7e6 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1696] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007569d889 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000777423d0 6 bytes {JMP QWORD [RIP+0x89bdc60]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007774e750 6 bytes {JMP QWORD [RIP+0x89118e0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000777bf6c0 6 bytes {JMP QWORD [RIP+0x88e0970]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000777bf6f0 6 bytes {JMP QWORD [RIP+0x8920940]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000777bf8c0 6 bytes {JMP QWORD [RIP+0x88c0770]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000777c5690 6 bytes {JMP QWORD [RIP+0x88fa9a0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes {JMP QWORD [RIP+0x5c8ba0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffac22cc 6 bytes {JMP QWORD [RIP+0x12dd64]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!BitBlt 000007feffac24c0 6 bytes {JMP QWORD [RIP+0x14db70]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffac5be0 6 bytes {JMP QWORD [RIP+0x16a450]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffac8398 6 bytes {JMP QWORD [RIP+0xe7c98]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffac89c8 6 bytes {JMP QWORD [RIP+0xc7668]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!GetPixel 000007feffac9344 4 bytes [FF, 25, EC, 6C] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!GetPixel + 5 000007feffac9349 1 byte [00] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffacb9e8 6 bytes {JMP QWORD [RIP+0x1a4648]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1876] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffad5410 6 bytes {JMP QWORD [RIP+0x17ac20]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a4f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a4f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a4fb18 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a4fb1c 2 bytes [B4, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a4fca0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a4fca4 2 bytes [D5, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a4fd54 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a4fd58 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a4fdb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a4fdbc 2 bytes [C6, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a4feb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a4feb4 2 bytes [BD, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a4ff64 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a4ff68 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a4ff94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a4ff98 2 bytes [C9, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a4fff4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a4fff8 2 bytes [E1, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a50074 3 bytes JMP 70df000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a50078 2 bytes JMP 70df000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a500a4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a500a8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a503a8 3 bytes JMP 70af000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a503ac 2 bytes JMP 70af000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077a503c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077a503c4 2 bytes [F3, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a50540 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a50544 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a50684 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a50688 2 bytes [D2, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077a506e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077a506e8 2 bytes [EA, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a5078c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077a50790 2 bytes [F0, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077a507d4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077a507d8 2 bytes [E4, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077a50864 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077a50868 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5087c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a50880 2 bytes [BA, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a50894 3 bytes JMP 70b2000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a50898 2 bytes JMP 70b2000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a50de4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a50de8 2 bytes [CF, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a50ec8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a50ecc 2 bytes [B7, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a51bd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a51bd8 2 bytes [CC, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a51ca4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a51ca8 2 bytes [DB, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a51d7c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a51d80 2 bytes [D8, 70] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a711d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075633bdb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075633bdf 2 bytes [9B, 71] .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075639ab4 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075643b7a 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007564ccd1 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007569d7e6 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007569d889 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f3f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075f42c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ipla\ipla.exe[3144] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076819d0b 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077873ae0 6 bytes {JMP QWORD [RIP+0x87cc550]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778a1400 6 bytes {JMP QWORD [RIP+0x877ec30]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000778a14d0 6 bytes {JMP QWORD [RIP+0x8fbeb60]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a15d0 6 bytes {JMP QWORD [RIP+0x8e5ea60]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778a1640 6 bytes {JMP QWORD [RIP+0x8f3e9f0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a1680 6 bytes {JMP QWORD [RIP+0x8efe9b0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778a1720 6 bytes {JMP QWORD [RIP+0x8f5e910]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a1790 6 bytes {JMP QWORD [RIP+0x8d5e8a0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a17b0 6 bytes {JMP QWORD [RIP+0x8ede880]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a17f0 6 bytes {JMP QWORD [RIP+0x8dde840]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a1840 6 bytes {JMP QWORD [RIP+0x8dfe7f0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778a1860 6 bytes {JMP QWORD [RIP+0x8f1e7d0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778a1a50 6 bytes {JMP QWORD [RIP+0x8ffe5e0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000778a1a60 6 bytes {JMP QWORD [RIP+0x8d1e5d0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a1b60 6 bytes {JMP QWORD [RIP+0x8cfe4d0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778a1c30 6 bytes {JMP QWORD [RIP+0x8e7e400]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a1c70 6 bytes {JMP QWORD [RIP+0x8d7e3c0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a1ce0 6 bytes {JMP QWORD [RIP+0x8d3e350]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000778a1d10 6 bytes {JMP QWORD [RIP+0x8dbe320]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a1d70 6 bytes {JMP QWORD [RIP+0x8d9e2c0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778a1d80 6 bytes {JMP QWORD [RIP+0x8f7e2b0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a1d90 6 bytes {JMP QWORD [RIP+0x8fde2a0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a2100 6 bytes {JMP QWORD [RIP+0x8e9df30]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a2190 6 bytes {JMP QWORD [RIP+0x8f9dea0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a2a00 6 bytes {JMP QWORD [RIP+0x8ebd630]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a2a80 6 bytes {JMP QWORD [RIP+0x8e1d5b0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a2b00 6 bytes {JMP QWORD [RIP+0x8e3d530]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000777423d0 6 bytes {JMP QWORD [RIP+0x89bdc60]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007774e750 6 bytes {JMP QWORD [RIP+0x89118e0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000777bf6c0 6 bytes {JMP QWORD [RIP+0x88e0970]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000777bf6f0 6 bytes {JMP QWORD [RIP+0x8920940]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000777bf8c0 6 bytes {JMP QWORD [RIP+0x88c0770]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000777c5690 6 bytes {JMP QWORD [RIP+0x88fa9a0]} .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\SearchIndexer.exe[3288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefebd7490 6 bytes {JMP QWORD [RIP+0x2d8ba0]} .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd8bb7b1 5 bytes {JMP QWORD [RIP+0xb4880]} .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd8bb915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8c67c0 5 bytes [FF, 25, 70, 98, 0C] .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a4f9d0 3 bytes JMP 71af000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a4f9d4 2 bytes JMP 71af000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077a4fb18 3 bytes JMP 70c1000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077a4fb1c 2 bytes JMP 70c1000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a4fca0 3 bytes JMP 70e2000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a4fca4 2 bytes JMP 70e2000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a4fd54 3 bytes JMP 70cd000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a4fd58 2 bytes JMP 70cd000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a4fdb8 3 bytes JMP 70d3000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a4fdbc 2 bytes JMP 70d3000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a4feb0 3 bytes JMP 70ca000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a4feb4 2 bytes JMP 70ca000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077a4ff64 3 bytes JMP 70fa000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077a4ff68 2 bytes JMP 70fa000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a4ff94 3 bytes JMP 70d6000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a4ff98 2 bytes JMP 70d6000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a4fff4 3 bytes JMP 70ee000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a4fff8 2 bytes JMP 70ee000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a50074 3 bytes JMP 70eb000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a50078 2 bytes JMP 70eb000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a500a4 3 bytes JMP 70d0000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a500a8 2 bytes JMP 70d0000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a503a8 3 bytes JMP 70bb000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a503ac 2 bytes JMP 70bb000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077a503c0 3 bytes JMP 7100000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077a503c4 2 bytes JMP 7100000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a50540 3 bytes JMP 7103000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a50544 2 bytes JMP 7103000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a50684 3 bytes JMP 70df000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a50688 2 bytes JMP 70df000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077a506e4 3 bytes JMP 70f7000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077a506e8 2 bytes JMP 70f7000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a5078c 3 bytes JMP 70fd000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077a50790 2 bytes JMP 70fd000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077a507d4 3 bytes JMP 70f1000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077a507d8 2 bytes JMP 70f1000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077a50864 3 bytes JMP 70f4000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077a50868 2 bytes JMP 70f4000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a5087c 3 bytes JMP 70c7000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a50880 2 bytes JMP 70c7000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a50894 3 bytes JMP 70be000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a50898 2 bytes JMP 70be000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a50de4 3 bytes JMP 70dc000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a50de8 2 bytes JMP 70dc000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a50ec8 3 bytes JMP 70c4000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a50ecc 2 bytes JMP 70c4000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a51bd4 3 bytes JMP 70d9000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a51bd8 2 bytes JMP 70d9000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a51ca4 3 bytes JMP 70e8000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a51ca8 2 bytes JMP 70e8000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a51d7c 3 bytes JMP 70e5000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a51d80 2 bytes JMP 70e5000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a711d7 6 bytes JMP 71a8000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075633bdb 3 bytes JMP 719c000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075633bdf 2 bytes JMP 719c000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075639ab4 6 bytes JMP 7187000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075643b7a 6 bytes JMP 717e000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007564ccd1 6 bytes JMP 718a000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007569d7e6 6 bytes JMP 7184000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007569d889 6 bytes JMP 7181000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075f3f776 6 bytes JMP 719f000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075f42c91 4 bytes CALL 71ac0000 .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075fe8332 6 bytes JMP 715d000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075fe8bff 6 bytes JMP 7151000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075fe90d3 6 bytes JMP 710c000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075fe9679 6 bytes JMP 714b000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075fe97d2 6 bytes JMP 7145000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075feee09 6 bytes JMP 7163000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075feefc9 3 bytes JMP 7112000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075feefcd 2 bytes JMP 7112000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ff12a5 6 bytes JMP 7157000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ff291f 6 bytes JMP 712a000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ff2d64 3 bytes JMP 7121000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ff2d68 2 bytes JMP 7121000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ff2da4 6 bytes JMP 7109000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ff3698 3 bytes JMP 711e000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ff369c 2 bytes JMP 711e000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ff3baa 6 bytes JMP 715a000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ff3c61 6 bytes JMP 7154000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075ff6110 6 bytes JMP 7160000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ff612e 6 bytes JMP 714e000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ff6c30 6 bytes JMP 710f000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ff7603 6 bytes JMP 7166000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ff7668 6 bytes JMP 7139000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ff76e0 6 bytes JMP 713f000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ff781f 6 bytes JMP 7148000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ff835c 6 bytes JMP 7169000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075ffc4b6 3 bytes JMP 711b000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075ffc4ba 2 bytes JMP 711b000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007600c112 6 bytes JMP 7136000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007600d0f5 6 bytes JMP 7133000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007600eb96 6 bytes JMP 7127000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007600ec68 3 bytes JMP 712d000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007600ec6c 2 bytes JMP 712d000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendInput 000000007600ff4a 3 bytes JMP 7130000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007600ff4e 2 bytes JMP 7130000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076029f1d 6 bytes JMP 7115000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076031497 6 bytes JMP 7106000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!mouse_event 000000007604027b 6 bytes JMP 716c000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!keybd_event 00000000760402bf 6 bytes JMP 716f000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076046cfc 6 bytes JMP 7142000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076046d5d 6 bytes JMP 713c000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076047dd7 3 bytes JMP 7118000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076047ddb 2 bytes JMP 7118000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000760488eb 3 bytes JMP 7124000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000760488ef 2 bytes JMP 7124000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075b358b3 6 bytes JMP 718d000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075b35ea6 6 bytes JMP 717b000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075b37bcc 6 bytes JMP 7196000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075b3b895 6 bytes JMP 7172000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075b3c332 6 bytes JMP 7178000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075b3cbfb 6 bytes JMP 7190000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075b3e743 6 bytes JMP 7193000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075b64646 6 bytes JMP 7175000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076819d0b 6 bytes JMP 7199000a .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077a01465 2 bytes [A0, 77] .text C:\Users\dom\Downloads\nifr86lu.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077a014bb 2 bytes [A0, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4376:4464] 00000000767b7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4376:4472] 000000006c9c7712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4376:4540] 0000000077a741f3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4376:2616] 0000000077a76679 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4376:2492] 0000000077a76679 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4376:4772] 0000000077a76679 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----