GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-08 15:42:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-80JJ5T0 rev.01.01A01 298,09GB Running: 658dmoyv.exe; Driver: C:\Users\Agata\AppData\Local\Temp\fwddakog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077babee0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bac0e0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077babee0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bac0e0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\svchost.exe[916] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9a74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes JMP 84bdd18 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes JMP 12cc0 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes JMP d2a5900 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes JMP 1c0c0 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes JMP 8c33d68 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes JMP 8d7fdc8 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes JMP 150c0 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes JMP 8a48a70 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes JMP 101166b .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes JMP 8ad3cf8 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes JMP 8b17640 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes JMP 8d0e751 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes JMP 8cf5118 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes JMP 87f9f11 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes JMP 87fa0d1 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes JMP 101101f .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes JMP 87f9fd1 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes JMP 8a33808 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes JMP 76dcbc1 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes JMP 87fa451 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes JMP 83e8af8 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes JMP 787caf9 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes JMP 8b92100 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes JMP 309c0 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes JMP 1012f36 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes JMP e2190f8 .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes JMP 1011b551 .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077a51880 6 bytes JMP 86ae788 .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077a5dae0 6 bytes JMP 42c0 .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077acf690 6 bytes JMP 85cf5f0 .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077acf6c0 6 bytes JMP 858c4d1 .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077acf890 6 bytes JMP 858cb91 .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077ad56e0 6 bytes JMP 85ea900 .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\System32\svchost.exe[900] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9a74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077a51880 6 bytes {JMP QWORD [RIP+0x86ae7b0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077a5dae0 6 bytes {JMP QWORD [RIP+0x8602550]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077acf690 6 bytes {JMP QWORD [RIP+0x85d09a0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077acf6c0 6 bytes {JMP QWORD [RIP+0x8610970]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077acf890 6 bytes {JMP QWORD [RIP+0x85b07a0]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077ad56e0 6 bytes {JMP QWORD [RIP+0x85ea950]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe5f38a0 6 bytes {JMP QWORD [RIP+0x10c790]} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9a74a0 6 bytes JMP 200074 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077a51880 6 bytes {JMP QWORD [RIP+0x86ae7b0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077a5dae0 6 bytes {JMP QWORD [RIP+0x8602550]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077acf690 6 bytes {JMP QWORD [RIP+0x85d09a0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077acf6c0 6 bytes {JMP QWORD [RIP+0x8610970]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077acf890 6 bytes {JMP QWORD [RIP+0x85b07a0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077ad56e0 6 bytes {JMP QWORD [RIP+0x85ea950]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 35] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdce22cc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdce24c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdce5bf0 6 bytes JMP ffffffff .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdce8398 6 bytes {JMP QWORD [RIP+0x2a7c98]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdce89bc 6 bytes {JMP QWORD [RIP+0x287674]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdce9320 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdceb9e8 6 bytes JMP 3697c5fa .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdcec8f0 6 bytes {JMP QWORD [RIP+0x343740]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077946ef0 6 bytes {JMP QWORD [RIP+0x8af9140]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077948184 6 bytes {JMP QWORD [RIP+0x8bd7eac]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetParent 0000000077948530 6 bytes {JMP QWORD [RIP+0x8b17b00]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077949bcc 6 bytes {JMP QWORD [RIP+0x8876464]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!PostMessageA 000000007794a404 6 bytes {JMP QWORD [RIP+0x88b5c2c]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!EnableWindow 000000007794aaa0 6 bytes {JMP QWORD [RIP+0x8c15590]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!MoveWindow 000000007794aad0 6 bytes {JMP QWORD [RIP+0x8b35560]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007794c720 6 bytes {JMP QWORD [RIP+0x8ad3910]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007794cd50 6 bytes {JMP QWORD [RIP+0x8bb32e0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007794d2b0 6 bytes {JMP QWORD [RIP+0x88f2d80]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendMessageA 000000007794d338 6 bytes {JMP QWORD [RIP+0x8932cf8]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007794dc40 6 bytes {JMP QWORD [RIP+0x8a123f0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007794f510 6 bytes {JMP QWORD [RIP+0x8bf0b20]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007794f874 4 bytes [FF, 25, BC, 07] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 5 000000007794f879 1 byte [08] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007794fac0 6 bytes {JMP QWORD [RIP+0x8990570]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077950b74 6 bytes {JMP QWORD [RIP+0x890f4bc]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000779533b0 6 bytes {JMP QWORD [RIP+0x888cc80]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077954d4d 5 bytes {JMP QWORD [RIP+0x884b2e4]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!GetKeyState 0000000077955010 6 bytes {JMP QWORD [RIP+0x8aab020]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077955438 6 bytes {JMP QWORD [RIP+0x89cabf8]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendMessageW 0000000077956b50 6 bytes {JMP QWORD [RIP+0x89494e0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!PostMessageW 00000000779576e4 6 bytes {JMP QWORD [RIP+0x88c894c]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007795dd90 6 bytes {JMP QWORD [RIP+0x8a422a0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!GetClipboardData 000000007795e874 6 bytes {JMP QWORD [RIP+0x8b817bc]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007795f780 6 bytes {JMP QWORD [RIP+0x8b408b0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779628e4 6 bytes {JMP QWORD [RIP+0x89dd74c]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!mouse_event 0000000077963894 6 bytes {JMP QWORD [RIP+0x87dc79c]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077968a10 6 bytes {JMP QWORD [RIP+0x8a77620]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077968be0 6 bytes {JMP QWORD [RIP+0x8957450]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077968c20 6 bytes {JMP QWORD [RIP+0x87f7410]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendInput 0000000077968cd0 6 bytes {JMP QWORD [RIP+0x8a57360]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!BlockInput 000000007796ad60 6 bytes {JMP QWORD [RIP+0x8b552d0]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000779914e0 6 bytes {JMP QWORD [RIP+0x8beeb50]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!keybd_event 00000000779b45a4 6 bytes {JMP QWORD [RIP+0x876ba8c]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000779bcc08 6 bytes {JMP QWORD [RIP+0x89c3428]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000779bdf18 6 bytes {JMP QWORD [RIP+0x8942118]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe748fe4 5 bytes [FF, 25, 4C, 70, E5] .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe962398 6 bytes {JMP QWORD [RIP+0xc1dc98]} .text C:\Windows\Explorer.EXE[1648] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9a74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdce22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdce24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdce5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdce8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdce89bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdce9320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdceb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdcec8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\System32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\System32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\taskeng.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\System32\igfxpers.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d5f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d5f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d5fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d5fb2c 2 bytes [C0, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d5fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d5fcb4 2 bytes [E1, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d5fd64 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d5fd68 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d5fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d5fdcc 2 bytes [D2, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d5fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d5fec4 2 bytes [C9, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d5ff74 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d5ff78 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d5ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d5ffa8 2 bytes [D5, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d60004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d60008 2 bytes [ED, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d60084 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d60088 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d600b4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d600b8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d603b8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d603bc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d603d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d603d4 2 bytes [FF, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d60550 3 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d60554 2 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d60694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d60698 2 bytes [DE, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d606f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d606f8 2 bytes [F6, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d6079c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d607a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d607e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d607e8 2 bytes [F0, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d60874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d60878 2 bytes [F3, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d6088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d60890 2 bytes [C6, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d608a4 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d608a8 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d60df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d60df8 2 bytes [DB, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d60ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d60edc 2 bytes [C3, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d61be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d61be8 2 bytes [D8, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d61cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d61cb8 2 bytes [E7, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d61d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d61d90 2 bytes [E4, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d7dffe 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3be3 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3be7 2 bytes [9B, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9ae4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3baa 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fcd11 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dd76 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584de19 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759df792 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 487 00000000759e2ca6 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d5f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d5f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d5fb28 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d5fb2c 2 bytes [C0, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d5fcb0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d5fcb4 2 bytes [E1, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d5fd64 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d5fd68 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d5fdc8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d5fdcc 2 bytes [D2, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d5fec0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d5fec4 2 bytes [C9, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d5ff74 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d5ff78 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d5ffa4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d5ffa8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d60004 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d60008 2 bytes [ED, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d60084 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d60088 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d600b4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d600b8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d603b8 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d603bc 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d603d0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d603d4 2 bytes [FF, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d60550 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d60554 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d60694 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d60698 2 bytes [DE, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d606f4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d606f8 2 bytes [F6, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d6079c 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d607a0 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d607e4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d607e8 2 bytes [F0, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d60874 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d60878 2 bytes [F3, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d6088c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d60890 2 bytes [C6, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d608a4 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d608a8 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d60df4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d60df8 2 bytes [DB, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d60ed8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d60edc 2 bytes [C3, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d61be4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d61be8 2 bytes [D8, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d61cb4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d61cb8 2 bytes [E7, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d61d8c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d61d90 2 bytes [E4, 70] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d7dffe 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3be3 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3be7 2 bytes [9B, 71] .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9ae4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3baa 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fcd11 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dd76 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Windows\SysWOW64\svchost.exe[2288] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584de19 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes CALL a900001f .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\system32\SearchIndexer.exe[3616] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9a74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d5f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d5f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d5fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d5fb2c 2 bytes [C0, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d5fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d5fcb4 2 bytes [E1, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d5fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d5fd68 2 bytes [CC, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d5fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d5fdcc 2 bytes [D2, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d5fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d5fec4 2 bytes [C9, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d5ff74 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d5ff78 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d5ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d5ffa8 2 bytes [D5, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d60004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d60008 2 bytes [ED, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d60084 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d60088 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d600b4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d600b8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d603b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d603bc 2 bytes [BA, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d603d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d603d4 2 bytes [FF, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d60550 3 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d60554 2 bytes JMP 7103000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d60694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d60698 2 bytes [DE, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d606f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d606f8 2 bytes [F6, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d6079c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d607a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d607e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d607e8 2 bytes [F0, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d60874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d60878 2 bytes [F3, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d6088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d60890 2 bytes [C6, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d608a4 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d608a8 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d60df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d60df8 2 bytes [DB, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d60ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d60edc 2 bytes [C3, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d61be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d61be8 2 bytes [D8, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d61cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d61cb8 2 bytes [E7, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d61d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d61d90 2 bytes [E4, 70] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d7dffe 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3be3 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3be7 2 bytes [9B, 71] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9ae4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3baa 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fcd11 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dd76 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584de19 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077a51880 6 bytes {JMP QWORD [RIP+0x86ae7b0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077a5dae0 6 bytes {JMP QWORD [RIP+0x8602550]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077acf690 6 bytes {JMP QWORD [RIP+0x85d09a0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077acf6c0 6 bytes {JMP QWORD [RIP+0x8610970]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077acf890 6 bytes {JMP QWORD [RIP+0x85b07a0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077ad56e0 6 bytes {JMP QWORD [RIP+0x85ea950]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 0A] .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077946ef0 6 bytes {JMP QWORD [RIP+0x8af9140]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077948184 6 bytes {JMP QWORD [RIP+0x8bd7eac]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetParent 0000000077948530 6 bytes {JMP QWORD [RIP+0x8b17b00]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077949bcc 6 bytes {JMP QWORD [RIP+0x8876464]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!PostMessageA 000000007794a404 6 bytes {JMP QWORD [RIP+0x88b5c2c]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!EnableWindow 000000007794aaa0 6 bytes {JMP QWORD [RIP+0x8c15590]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!MoveWindow 000000007794aad0 6 bytes {JMP QWORD [RIP+0x8b35560]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007794c720 6 bytes {JMP QWORD [RIP+0x8ad3910]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007794cd50 6 bytes {JMP QWORD [RIP+0x8bb32e0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007794d2b0 6 bytes {JMP QWORD [RIP+0x88f2d80]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendMessageA 000000007794d338 6 bytes {JMP QWORD [RIP+0x8932cf8]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007794dc40 6 bytes {JMP QWORD [RIP+0x8a123f0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007794f510 6 bytes {JMP QWORD [RIP+0x8bf0b20]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007794f874 4 bytes [FF, 25, BC, 07] .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 5 000000007794f879 1 byte [08] .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007794fac0 6 bytes {JMP QWORD [RIP+0x8990570]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077950b74 6 bytes {JMP QWORD [RIP+0x890f4bc]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000779533b0 6 bytes {JMP QWORD [RIP+0x888cc80]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077954d4d 5 bytes {JMP QWORD [RIP+0x884b2e4]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!GetKeyState 0000000077955010 6 bytes {JMP QWORD [RIP+0x8aab020]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077955438 6 bytes {JMP QWORD [RIP+0x89cabf8]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendMessageW 0000000077956b50 6 bytes {JMP QWORD [RIP+0x89494e0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!PostMessageW 00000000779576e4 6 bytes {JMP QWORD [RIP+0x88c894c]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007795dd90 6 bytes {JMP QWORD [RIP+0x8a422a0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!GetClipboardData 000000007795e874 6 bytes {JMP QWORD [RIP+0x8b817bc]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007795f780 6 bytes {JMP QWORD [RIP+0x8b408b0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779628e4 6 bytes {JMP QWORD [RIP+0x89dd74c]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!mouse_event 0000000077963894 6 bytes {JMP QWORD [RIP+0x87dc79c]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077968a10 6 bytes {JMP QWORD [RIP+0x8a77620]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077968be0 6 bytes {JMP QWORD [RIP+0x8957450]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077968c20 6 bytes {JMP QWORD [RIP+0x87f7410]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendInput 0000000077968cd0 6 bytes {JMP QWORD [RIP+0x8a57360]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!BlockInput 000000007796ad60 6 bytes {JMP QWORD [RIP+0x8b552d0]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000779914e0 6 bytes {JMP QWORD [RIP+0x8beeb50]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!keybd_event 00000000779b45a4 6 bytes {JMP QWORD [RIP+0x876ba8c]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000779bcc08 6 bytes {JMP QWORD [RIP+0x89c3428]} .text C:\Windows\System32\svchost.exe[4964] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000779bdf18 6 bytes {JMP QWORD [RIP+0x8942118]} .text C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer 12\LiveTunerService.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759df792 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer 12\LiveTunerService.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 487 00000000759e2ca6 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\servicing\TrustedInstaller.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x85d39b0]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077a51880 6 bytes {JMP QWORD [RIP+0x86ae7b0]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077a5dae0 6 bytes {JMP QWORD [RIP+0x8602550]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077acf690 6 bytes {JMP QWORD [RIP+0x85d09a0]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077acf6c0 6 bytes {JMP QWORD [RIP+0x8610970]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077acf890 6 bytes {JMP QWORD [RIP+0x85b07a0]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077ad56e0 6 bytes {JMP QWORD [RIP+0x85ea950]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes CALL c6000000 .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9a74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdce22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdce8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdce89bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\taskhost.exe[58484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdce9320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b822f0 6 bytes {JMP QWORD [RIP+0x84bdd40]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077babf20 6 bytes {JMP QWORD [RIP+0x8474110]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077babff0 6 bytes {JMP QWORD [RIP+0x8cb4040]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bac0f0 6 bytes {JMP QWORD [RIP+0x8b53f40]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bac160 6 bytes {JMP QWORD [RIP+0x8c33ed0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bac1a0 6 bytes {JMP QWORD [RIP+0x8bf3e90]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077bac240 6 bytes {JMP QWORD [RIP+0x8c53df0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bac2b0 6 bytes {JMP QWORD [RIP+0x8a53d80]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bac2d0 6 bytes {JMP QWORD [RIP+0x8bd3d60]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bac310 6 bytes {JMP QWORD [RIP+0x8ad3d20]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bac360 6 bytes {JMP QWORD [RIP+0x8af3cd0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bac380 6 bytes {JMP QWORD [RIP+0x8c13cb0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077bac570 6 bytes {JMP QWORD [RIP+0x8cf3ac0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077bac580 6 bytes {JMP QWORD [RIP+0x8a13ab0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bac680 6 bytes {JMP QWORD [RIP+0x89f39b0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077bac750 6 bytes {JMP QWORD [RIP+0x8b738e0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bac790 6 bytes {JMP QWORD [RIP+0x8a738a0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bac800 6 bytes {JMP QWORD [RIP+0x8a33830]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077bac830 6 bytes {JMP QWORD [RIP+0x8ab3800]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bac890 6 bytes {JMP QWORD [RIP+0x8a937a0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bac8a0 6 bytes {JMP QWORD [RIP+0x8c73790]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bac8b0 6 bytes {JMP QWORD [RIP+0x8cd3780]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bacc20 6 bytes {JMP QWORD [RIP+0x8b93410]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077baccb0 6 bytes {JMP QWORD [RIP+0x8c93380]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bad520 6 bytes {JMP QWORD [RIP+0x8bb2b10]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bad5a0 6 bytes {JMP QWORD [RIP+0x8b12a90]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bad620 6 bytes {JMP QWORD [RIP+0x8b32a10]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077a51880 6 bytes {JMP QWORD [RIP+0x86ae7b0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077a5dae0 6 bytes {JMP QWORD [RIP+0x8602550]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077acf690 6 bytes {JMP QWORD [RIP+0x85d09a0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077acf6c0 6 bytes {JMP QWORD [RIP+0x8610970]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077acf890 6 bytes {JMP QWORD [RIP+0x85b07a0]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077ad56e0 6 bytes {JMP QWORD [RIP+0x85ea950]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 345 000007fefdbdaa19 3 bytes [F1, 55, 06] .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdbe4bd0 5 bytes [FF, 25, 60, B4, 35] .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdce22cc 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdce24c0 6 bytes JMP e3 .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdce5bf0 6 bytes {JMP QWORD [RIP+0x32a440]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdce8398 6 bytes {JMP QWORD [RIP+0x2a7c98]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdce89bc 6 bytes {JMP QWORD [RIP+0x287674]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdce9320 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdceb9e8 6 bytes {JMP QWORD [RIP+0x364648]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdcec8f0 6 bytes {JMP QWORD [RIP+0x343740]} .text C:\Windows\System32\WUDFHost.exe[60488] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9a74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d5f9e0 3 bytes JMP 71af000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d5f9e4 2 bytes JMP 71af000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d5fb28 3 bytes JMP 70c1000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d5fb2c 2 bytes JMP 70c1000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d5fcb0 3 bytes JMP 70e2000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d5fcb4 2 bytes JMP 70e2000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d5fd64 3 bytes JMP 70cd000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d5fd68 2 bytes JMP 70cd000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d5fdc8 3 bytes JMP 70d3000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d5fdcc 2 bytes JMP 70d3000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d5fec0 3 bytes JMP 70ca000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d5fec4 2 bytes JMP 70ca000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d5ff74 3 bytes JMP 70fa000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d5ff78 2 bytes JMP 70fa000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d5ffa4 3 bytes JMP 70d6000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d5ffa8 2 bytes JMP 70d6000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d60004 3 bytes JMP 70ee000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d60008 2 bytes JMP 70ee000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d60084 3 bytes JMP 70eb000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d60088 2 bytes JMP 70eb000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d600b4 3 bytes JMP 70d0000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d600b8 2 bytes JMP 70d0000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d603b8 3 bytes JMP 70bb000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d603bc 2 bytes JMP 70bb000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d603d0 3 bytes JMP 7100000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d603d4 2 bytes JMP 7100000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d60550 3 bytes JMP 7103000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d60554 2 bytes JMP 7103000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d60694 3 bytes JMP 70df000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d60698 2 bytes JMP 70df000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d606f4 3 bytes JMP 70f7000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d606f8 2 bytes JMP 70f7000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d6079c 3 bytes JMP 70fd000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d607a0 2 bytes JMP 70fd000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d607e4 3 bytes JMP 70f1000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d607e8 2 bytes JMP 70f1000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d60874 3 bytes JMP 70f4000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d60878 2 bytes JMP 70f4000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d6088c 3 bytes JMP 70c7000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d60890 2 bytes JMP 70c7000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d608a4 3 bytes JMP 70be000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d608a8 2 bytes JMP 70be000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d60df4 3 bytes JMP 70dc000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d60df8 2 bytes JMP 70dc000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d60ed8 3 bytes JMP 70c4000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d60edc 2 bytes JMP 70c4000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d61be4 3 bytes JMP 70d9000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d61be8 2 bytes JMP 70d9000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d61cb4 3 bytes JMP 70e8000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d61cb8 2 bytes JMP 70e8000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d61d8c 3 bytes JMP 70e5000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d61d90 2 bytes JMP 70e5000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d7dffe 6 bytes JMP 71a8000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3be3 3 bytes JMP 719c000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3be7 2 bytes JMP 719c000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9ae4 6 bytes JMP 7187000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3baa 6 bytes JMP 717e000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fcd11 6 bytes JMP 718a000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dd76 6 bytes JMP 7184000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584de19 6 bytes JMP 7181000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759df792 6 bytes JMP 719f000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 487 00000000759e2ca6 4 bytes CALL 71ac0000 .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000758e8332 6 bytes JMP 715d000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000758e8bff 6 bytes JMP 7151000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000758e90d3 6 bytes JMP 710c000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000758e9679 6 bytes JMP 714b000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000758e97d2 6 bytes JMP 7145000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000758eee09 6 bytes JMP 7163000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000758eefc9 3 bytes JMP 7112000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000758eefcd 2 bytes JMP 7112000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000758f12a5 6 bytes JMP 7157000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000758f291f 6 bytes JMP 712a000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetParent 00000000758f2d64 3 bytes JMP 7121000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000758f2d68 2 bytes JMP 7121000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000758f2da4 6 bytes JMP 7109000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000758f3698 3 bytes JMP 711e000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000758f369c 2 bytes JMP 711e000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000758f3baa 6 bytes JMP 715a000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000758f3c61 6 bytes JMP 7154000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000758f6110 6 bytes JMP 7160000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000758f612e 6 bytes JMP 714e000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000758f6c30 6 bytes JMP 710f000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758f7603 6 bytes JMP 7166000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000758f7668 6 bytes JMP 7139000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000758f76e0 6 bytes JMP 713f000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000758f781f 6 bytes JMP 7148000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758f835c 6 bytes JMP 7169000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000758fc4b6 3 bytes JMP 711b000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000758fc4ba 2 bytes JMP 711b000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007590c112 6 bytes JMP 7136000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007590d0f5 6 bytes JMP 7133000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007590eb96 6 bytes JMP 7127000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007590ec68 3 bytes JMP 712d000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007590ec6c 2 bytes JMP 712d000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendInput 000000007590ff4a 3 bytes JMP 7130000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007590ff4e 2 bytes JMP 7130000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075929f1d 6 bytes JMP 7115000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075931497 6 bytes JMP 7106000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!mouse_event 000000007594027b 6 bytes JMP 716c000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!keybd_event 00000000759402bf 6 bytes JMP 716f000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075946cfc 6 bytes JMP 7142000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075946d5d 6 bytes JMP 713c000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075947dd7 3 bytes JMP 7118000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075947ddb 2 bytes JMP 7118000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000759488eb 3 bytes JMP 7124000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000759488ef 2 bytes JMP 7124000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076a258b3 6 bytes JMP 718d000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076a25ea5 6 bytes JMP 717b000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076a27ba4 6 bytes JMP 7196000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076a2b986 6 bytes JMP 7190000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076a2ba5f 6 bytes JMP 7172000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076a2cc01 6 bytes JMP 7178000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076a2ea03 6 bytes JMP 7193000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076a54969 6 bytes JMP 7175000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077289d0b 6 bytes JMP 7199000a .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077231401 2 bytes JMP 757fb263 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077231419 2 bytes JMP 757fb38e C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077231431 2 bytes JMP 75879099 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007723144a 2 bytes CALL 757d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772314dd 2 bytes JMP 7587898f C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772314f5 2 bytes JMP 75878b68 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007723150d 2 bytes JMP 75878885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077231525 2 bytes JMP 75878c52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007723153d 2 bytes JMP 757efce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077231555 2 bytes JMP 757f6937 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007723156d 2 bytes JMP 75879151 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077231585 2 bytes JMP 75878cb2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007723159d 2 bytes JMP 75878849 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772315b5 2 bytes JMP 757efd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772315cd 2 bytes JMP 757fb324 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772316b2 2 bytes JMP 75879014 C:\Windows\syswow64\kernel32.dll .text C:\Users\Agata\Desktop\658dmoyv.exe[52320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772316bd 2 bytes JMP 758787de C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1152:1300] 000007fefab18274 Thread C:\Windows\system32\svchost.exe [1152:1564] 000007fefab18274 Thread C:\Windows\System32\spoolsv.exe [1384:1596] 000007fef98e10c8 Thread C:\Windows\System32\spoolsv.exe [1384:1612] 000007fef98a6144 Thread C:\Windows\System32\spoolsv.exe [1384:1616] 000007fef9695fd0 Thread C:\Windows\System32\spoolsv.exe [1384:1620] 000007fef9683438 Thread C:\Windows\System32\spoolsv.exe [1384:1624] 000007fef96963ec Thread C:\Windows\System32\spoolsv.exe [1384:1664] 000007fef9975e5c Thread C:\Windows\System32\spoolsv.exe [1384:1668] 000007fef9a25074 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----