GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-25 01:40:50 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001c WDC_WD10JPVX-22JC3T0 rev.01.01A01 931,51GB Running: 4sgecfcr.exe; Driver: C:\Users\Janusz\AppData\Local\Temp\ugldipob.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd8569ffc0 5 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd856a41d0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590718 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445909b8 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445906b8 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590958 .text C:\WINDOWS\system32\services.exe[876] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\lsass.exe[904] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffd8458cd7b 3 bytes [8F, 32, 2F] .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\KERNELBASE.dll!CreateProcessInternalW 00007ffd84591380 5 bytes JMP 00007ffd44590178 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffd845b7460 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\KERNELBASE.dll!CopyFile2 00007ffd845b9f00 7 bytes JMP 00007ffd44590778 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\KERNELBASE.dll!CopyFileExW 00007ffd845ba080 7 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd845d0490 7 bytes JMP 00007ffd44590358 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\KERNELBASE.dll!DefineDosDeviceW 00007ffd845d1dd0 5 bytes JMP 00007ffd445903b8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd8569ffc0 5 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd856a41d0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591318 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445912b8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591858 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd44591678 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590718 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445909b8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445906b8 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590958 .text C:\WINDOWS\system32\svchost.exe[992] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd8569ffc0 5 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd856a41d0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590718 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445909b8 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445906b8 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590958 .text C:\WINDOWS\system32\svchost.exe[360] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd8569ffc0 5 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd856a41d0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591318 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445912b8 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591858 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd44591678 .text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\System32\svchost.exe[912] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\svchost.exe[1236] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd8569ffc0 5 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[1236] C:\WINDOWS\System32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd856a41d0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\igfxCUIService.exe[1396] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\System32\svchost.exe[1544] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\System32\svchost.exe[1572] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1632] entry point in ".rdata" section 00000000701f1150 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\svchost.exe[1868] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\System32\svchost.exe[2168] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\svchost.exe[1956] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3812] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe[7592] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 ? C:\WINDOWS\system32\apphelp.dll [8052] entry point in ".rdata" section 000000006b77f7c0 ? C:\WINDOWS\system32\apphelp.dll [6996] entry point in ".rdata" section 000000006b77f7c0 ? C:\WINDOWS\System32\iertutil.dll [6996] entry point in ".rdata" section 00000000701f1150 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6996] entry point in ".rdata" section 000000006c0ea020 ? C:\WINDOWS\system32\ncryptsslp.dll [6996] entry point in ".rdata" section 000000006c0c04f0 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\gdi32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\System32\dwm.exe[5608] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\atieclxx.exe[9340] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[9072] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffd8458cd7b 3 bytes [8F, 32, 2F] .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\KERNELBASE.dll!CreateProcessInternalW 00007ffd84591380 5 bytes JMP 00007ffd44590178 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffd845b7460 6 bytes JMP 00007ffd44590778 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\KERNELBASE.dll!CopyFile2 00007ffd845b9f00 7 bytes JMP 00007ffd445906b8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\KERNELBASE.dll!CopyFileExW 00007ffd845ba080 7 bytes JMP 00007ffd44590718 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd845d0490 7 bytes JMP 00007ffd44590358 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\KERNELBASE.dll!DefineDosDeviceW 00007ffd845d1dd0 5 bytes JMP 00007ffd445903b8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\sihost.exe[840] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\svchost.exe[1444] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd877bdb50 7 bytes JMP 00007ffd44590238 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffd87815020 8 bytes JMP 00007ffd445901d8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd878151c0 8 bytes JMP 00007ffd44592158 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd878153c0 8 bytes JMP 00007ffd44591cd8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd878154a0 8 bytes JMP 00007ffd44591fd8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd87815520 8 bytes JMP 00007ffd44591f18 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd87815660 8 bytes JMP 00007ffd44592038 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd87815740 8 bytes JMP 00007ffd445919d8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd87815780 8 bytes JMP 00007ffd44591eb8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd87815800 8 bytes JMP 00007ffd44591b58 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd878158a0 8 bytes JMP 00007ffd44591bb8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd878158e0 8 bytes JMP 00007ffd44591f78 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd87815cd0 8 bytes JMP 00007ffd44592218 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPortEx 00007ffd87815cf0 8 bytes JMP 00007ffd44591d98 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd87815d10 8 bytes JMP 00007ffd44591918 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd87815f30 8 bytes JMP 00007ffd445918b8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd87816170 8 bytes JMP 00007ffd44591d38 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd87816230 8 bytes JMP 00007ffd44591a38 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd87816350 8 bytes JMP 00007ffd44591978 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd878163d0 8 bytes JMP 00007ffd44591af8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd878164b0 8 bytes JMP 00007ffd44591a98 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd878164d0 8 bytes JMP 00007ffd44592098 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd878164f0 8 bytes JMP 00007ffd445921b8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd87816d50 8 bytes JMP 00007ffd44591df8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd87816e90 8 bytes JMP 00007ffd445920f8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd87818110 8 bytes JMP 00007ffd44591e58 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd87818250 8 bytes JMP 00007ffd44591c18 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd87818370 8 bytes JMP 00007ffd44591c78 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\taskhostw.exe[6580] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd445916d8 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd445914f8 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd44591498 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd44591798 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591a38 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd44591858 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591618 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Windows\System32\RuntimeBroker.exe[5740] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd877bdb50 7 bytes JMP 00007ffd44590238 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffd87815020 8 bytes JMP 00007ffd445901d8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd878151c0 8 bytes JMP 00007ffd44592158 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd878153c0 8 bytes JMP 00007ffd44591cd8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd878154a0 8 bytes JMP 00007ffd44591fd8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd87815520 8 bytes JMP 00007ffd44591f18 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd87815660 8 bytes JMP 00007ffd44592038 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd87815740 8 bytes JMP 00007ffd445919d8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd87815780 8 bytes JMP 00007ffd44591eb8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd87815800 8 bytes JMP 00007ffd44591b58 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd878158a0 8 bytes JMP 00007ffd44591bb8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd878158e0 8 bytes JMP 00007ffd44591f78 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd87815cd0 8 bytes JMP 00007ffd44592218 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPortEx 00007ffd87815cf0 8 bytes JMP 00007ffd44591d98 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd87815d10 8 bytes JMP 00007ffd44591918 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd87815f30 8 bytes JMP 00007ffd445918b8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd87816170 8 bytes JMP 00007ffd44591d38 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd87816230 8 bytes JMP 00007ffd44591a38 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd87816350 8 bytes JMP 00007ffd44591978 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd878163d0 8 bytes JMP 00007ffd44591af8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd878164b0 8 bytes JMP 00007ffd44591a98 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd878164d0 8 bytes JMP 00007ffd44592098 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd878164f0 8 bytes JMP 00007ffd445921b8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd87816d50 8 bytes JMP 00007ffd44591df8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd87816e90 8 bytes JMP 00007ffd445920f8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd87818110 8 bytes JMP 00007ffd44591e58 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd87818250 8 bytes JMP 00007ffd44591c18 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd87818370 8 bytes JMP 00007ffd44591c78 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendDlgItemMessageW 00007ffd85d51a90 5 bytes JMP 00007ffd44591198 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExA 00007ffd85d52730 12 bytes JMP 00007ffd44590a18 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendMessageW 00007ffd85d60ef0 5 bytes JMP 00007ffd44590e98 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetWindowLongW 00007ffd85d61310 5 bytes JMP 00007ffd44590b98 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetWindowLongPtrW 00007ffd85d67db0 8 bytes JMP 00007ffd44590c58 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendMessageA 00007ffd85d68390 5 bytes JMP 00007ffd44590e38 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendNotifyMessageW 00007ffd85d69530 9 bytes JMP 00007ffd445910d8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetWindowLongPtrA 00007ffd85d697f0 6 bytes JMP 00007ffd44590bf8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!PostMessageW 00007ffd85d6afa0 5 bytes JMP 00007ffd44590d18 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SystemParametersInfoW 00007ffd85d6eb50 5 bytes JMP 00007ffd44591678 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendMessageTimeoutW 00007ffd85d6f5d0 5 bytes JMP 00007ffd44590f58 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SystemParametersInfoA 00007ffd85d73700 5 bytes JMP 00007ffd44591618 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!GetAsyncKeyState 00007ffd85d74530 5 bytes JMP 00007ffd44591318 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!GetKeyState 00007ffd85d74650 6 bytes JMP 00007ffd445912b8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!PostThreadMessageW 00007ffd85d76760 10 bytes JMP 00007ffd44590dd8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendMessageCallbackW 00007ffd85d76bb0 7 bytes JMP 00007ffd44591018 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExW 00007ffd85d77490 9 bytes JMP 00007ffd44590a78 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetWinEventHook 00007ffd85d77d70 5 bytes JMP 00007ffd44590ad8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!PostThreadMessageA 00007ffd85d78ba0 7 bytes JMP 00007ffd44590d78 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!PostMessageA 00007ffd85d78c20 7 bytes JMP 00007ffd44590cb8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!EnableWindow 00007ffd85d7a310 9 bytes JMP 00007ffd445916d8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!mouse_event 00007ffd85d7b030 7 bytes JMP 00007ffd445909b8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!ExitWindowsEx 00007ffd85d7b460 5 bytes JMP 00007ffd44591738 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetParent 00007ffd85d7b740 8 bytes JMP 00007ffd445913d8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetWindowLongA 00007ffd85d7c0c0 6 bytes JMP 00007ffd44590b38 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SwitchDesktop 00007ffd85d7c210 5 bytes JMP 00007ffd445917f8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendNotifyMessageA 00007ffd85d7f270 12 bytes JMP 00007ffd44591078 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendMessageTimeoutA 00007ffd85d7f2b0 12 bytes JMP 00007ffd44590ef8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!GetClipboardData 00007ffd85d800d0 5 bytes JMP 00007ffd44591558 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetClipboardViewer 00007ffd85d80480 8 bytes JMP 00007ffd44591498 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!EndTask 00007ffd85db3370 5 bytes JMP 00007ffd44590418 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendMessageCallbackA 00007ffd85de29d0 7 bytes JMP 00007ffd44590fb8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SetSystemCursor 00007ffd85de6e50 5 bytes JMP 00007ffd44591858 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!keybd_event 00007ffd85de7700 7 bytes JMP 00007ffd44590958 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\USER32.dll!SendDlgItemMessageA 00007ffd85de7f80 5 bytes JMP 00007ffd44591138 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\Explorer.EXE[7424] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3296] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd877bdb50 7 bytes JMP 00007ffd44590238 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffd87815020 8 bytes JMP 00007ffd445901d8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd878151c0 8 bytes JMP 00007ffd44592158 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd878153c0 8 bytes JMP 00007ffd44591cd8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd878154a0 8 bytes JMP 00007ffd44591fd8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd87815520 8 bytes JMP 00007ffd44591f18 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd87815660 8 bytes JMP 00007ffd44592038 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd87815740 8 bytes JMP 00007ffd445919d8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd87815780 8 bytes JMP 00007ffd44591eb8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd87815800 8 bytes JMP 00007ffd44591b58 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd878158a0 8 bytes JMP 00007ffd44591bb8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd878158e0 8 bytes JMP 00007ffd44591f78 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd87815cd0 8 bytes JMP 00007ffd44592218 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPortEx 00007ffd87815cf0 8 bytes JMP 00007ffd44591d98 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd87815d10 8 bytes JMP 00007ffd44591918 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd87815f30 8 bytes JMP 00007ffd445918b8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd87816170 8 bytes JMP 00007ffd44591d38 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd87816230 8 bytes JMP 00007ffd44591a38 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd87816350 8 bytes JMP 00007ffd44591978 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd878163d0 8 bytes JMP 00007ffd44591af8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd878164b0 8 bytes JMP 00007ffd44591a98 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd878164d0 8 bytes JMP 00007ffd44592098 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd878164f0 8 bytes JMP 00007ffd445921b8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd87816d50 8 bytes JMP 00007ffd44591df8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd87816e90 8 bytes JMP 00007ffd445920f8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd87818110 8 bytes JMP 00007ffd44591e58 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd87818250 8 bytes JMP 00007ffd44591c18 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd87818370 8 bytes JMP 00007ffd44591c78 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\System32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffd8458cd7b 3 bytes [8F, 32, 2F] .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\System32\KERNELBASE.dll!CreateProcessInternalW 00007ffd84591380 5 bytes JMP 00007ffd44590178 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\System32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffd845b7460 6 bytes JMP 00007ffd44590778 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\System32\KERNELBASE.dll!CopyFile2 00007ffd845b9f00 7 bytes JMP 00007ffd445906b8 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\System32\KERNELBASE.dll!CopyFileExW 00007ffd845ba080 7 bytes JMP 00007ffd44590718 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\System32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd845d0490 7 bytes JMP 00007ffd44590358 .text C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2476] C:\WINDOWS\System32\KERNELBASE.dll!DefineDosDeviceW 00007ffd845d1dd0 5 bytes JMP 00007ffd445903b8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe[4188] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\wbem\unsecapp.exe[7240] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Program Files\Acer\Acer Launch Manager\LMTray.exe[7528] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\SettingSyncHost.exe[6040] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5164] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 ? C:\WINDOWS\system32\apphelp.dll [9512] entry point in ".rdata" section 000000006b77f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9512] entry point in ".rdata" section 00000000701f1150 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5128] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffd87815140 8 bytes JMP 00007ffd877000d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3800] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[5968] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffd8458cd7b 3 bytes [8F, 32, 2F] .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\KERNELBASE.dll!CreateProcessInternalW 00007ffd84591380 5 bytes JMP 00007ffd44590178 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffd845b7460 6 bytes JMP 00007ffd44590778 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\KERNELBASE.dll!CopyFile2 00007ffd845b9f00 7 bytes JMP 00007ffd445906b8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\KERNELBASE.dll!CopyFileExW 00007ffd845ba080 7 bytes JMP 00007ffd44590718 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd845d0490 7 bytes JMP 00007ffd44590358 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\KERNELBASE.dll!DefineDosDeviceW 00007ffd845d1dd0 5 bytes JMP 00007ffd445903b8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\DllHost.exe[9816] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\mmc.exe[2456] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\System32\Taskmgr.exe[4660] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\ApplicationFrameHost.exe[8156] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffd8458cd7b 3 bytes [8F, 32, 2F] .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\KERNELBASE.dll!CreateProcessInternalW 00007ffd84591380 5 bytes JMP 00007ffd44590178 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffd845b7460 6 bytes JMP 00007ffd44590778 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\KERNELBASE.dll!CopyFile2 00007ffd845b9f00 7 bytes JMP 00007ffd445906b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\KERNELBASE.dll!CopyFileExW 00007ffd845ba080 7 bytes JMP 00007ffd44590718 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd845d0490 7 bytes JMP 00007ffd44590358 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\KERNELBASE.dll!DefineDosDeviceW 00007ffd845d1dd0 5 bytes JMP 00007ffd445903b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendDlgItemMessageW 00007ffd85d51a90 5 bytes JMP 00007ffd44591438 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExA 00007ffd85d52730 1 byte JMP 00007ffd44590cb8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExA + 2 00007ffd85d52732 10 bytes {JMP 0xffffffffbe83e588} .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendMessageW 00007ffd85d60ef0 5 bytes JMP 00007ffd44591138 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowLongW 00007ffd85d61310 5 bytes JMP 00007ffd44590e38 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!IsDialogMessageW 00007ffd85d641f0 5 bytes JMP 00007ffd44590c58 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!TranslateMessage 00007ffd85d65330 6 bytes JMP 00007ffd44590b98 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowLongPtrW 00007ffd85d67db0 8 bytes JMP 00007ffd44590ef8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendMessageA 00007ffd85d68390 5 bytes JMP 00007ffd445910d8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendNotifyMessageW 00007ffd85d69530 9 bytes JMP 00007ffd44591378 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowLongPtrA 00007ffd85d697f0 6 bytes JMP 00007ffd44590e98 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!PostMessageW 00007ffd85d6afa0 5 bytes JMP 00007ffd44590fb8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!PeekMessageA 00007ffd85d6e300 5 bytes JMP 00007ffd44590ad8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!PeekMessageW 00007ffd85d6e430 5 bytes JMP 00007ffd44590b38 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!GetMessageA 00007ffd85d6e8b0 5 bytes JMP 00007ffd44590a18 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SystemParametersInfoW 00007ffd85d6eb50 5 bytes JMP 00007ffd44591918 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendMessageTimeoutW 00007ffd85d6f5d0 5 bytes JMP 00007ffd445911f8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SystemParametersInfoA 00007ffd85d73700 5 bytes JMP 00007ffd445918b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!GetAsyncKeyState 00007ffd85d74530 5 bytes JMP 00007ffd445915b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!GetKeyState 00007ffd85d74650 6 bytes JMP 00007ffd44591558 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!GetMessageW 00007ffd85d74840 6 bytes JMP 00007ffd44590a78 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!PostThreadMessageW 00007ffd85d76760 10 bytes JMP 00007ffd44591078 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendMessageCallbackW 00007ffd85d76bb0 7 bytes JMP 00007ffd445912b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExW 00007ffd85d77490 1 byte JMP 00007ffd44590d18 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExW + 2 00007ffd85d77492 7 bytes {JMP 0xffffffffbe819888} .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWinEventHook 00007ffd85d77d70 5 bytes JMP 00007ffd44590d78 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!PostThreadMessageA 00007ffd85d78ba0 7 bytes JMP 00007ffd44591018 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!PostMessageA 00007ffd85d78c20 7 bytes JMP 00007ffd44590f58 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!EnableWindow 00007ffd85d7a310 1 byte JMP 00007ffd44591978 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!EnableWindow + 2 00007ffd85d7a312 7 bytes {JMP 0xffffffffbe817668} .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!mouse_event 00007ffd85d7b030 7 bytes JMP 00007ffd445909b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!ExitWindowsEx 00007ffd85d7b460 5 bytes JMP 00007ffd445919d8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetParent 00007ffd85d7b740 8 bytes JMP 00007ffd44591678 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetWindowLongA 00007ffd85d7c0c0 6 bytes JMP 00007ffd44590dd8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SwitchDesktop 00007ffd85d7c210 5 bytes JMP 00007ffd44591a98 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendNotifyMessageA 00007ffd85d7f270 12 bytes JMP 00007ffd44591318 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendMessageTimeoutA 00007ffd85d7f2b0 12 bytes JMP 00007ffd44591198 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!GetClipboardData 00007ffd85d800d0 5 bytes JMP 00007ffd445917f8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetClipboardViewer 00007ffd85d80480 8 bytes JMP 00007ffd44591738 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!EndTask 00007ffd85db3370 5 bytes JMP 00007ffd44590418 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!IsDialogMessage 00007ffd85db61f0 7 bytes JMP 00007ffd44590bf8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendMessageCallbackA 00007ffd85de29d0 7 bytes JMP 00007ffd44591258 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SetSystemCursor 00007ffd85de6e50 5 bytes JMP 00007ffd44591af8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!keybd_event 00007ffd85de7700 7 bytes JMP 00007ffd44590958 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\USER32.dll!SendDlgItemMessageA 00007ffd85de7f80 5 bytes JMP 00007ffd445913d8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd445916d8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd445914f8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd44591498 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd44591798 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591a38 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd44591858 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe[8220] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591618 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd445916d8 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd44591498 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591a38 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd44591858 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591618 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\browser_broker.exe[9436] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] C:\WINDOWS\System32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffd8458cd7b 3 bytes [8F, 32, 2F] .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] C:\WINDOWS\System32\KERNELBASE.dll!CreateProcessInternalW 00007ffd84591380 5 bytes JMP 00007ffd44590178 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] C:\WINDOWS\System32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffd845b7460 6 bytes JMP 00007ffd44590778 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] C:\WINDOWS\System32\KERNELBASE.dll!CopyFile2 00007ffd845b9f00 7 bytes JMP 00007ffd445906b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] C:\WINDOWS\System32\KERNELBASE.dll!CopyFileExW 00007ffd845ba080 7 bytes JMP 00007ffd44590718 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] C:\WINDOWS\System32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd845d0490 7 bytes JMP 00007ffd44590358 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] C:\WINDOWS\System32\KERNELBASE.dll!DefineDosDeviceW 00007ffd845d1dd0 5 bytes JMP 00007ffd445903b8 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Windows\System32\InstallAgent.exe[1900] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Windows\System32\smartscreen.exe[6600] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd877bdb50 7 bytes JMP 00007ffd44590238 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffd87815020 8 bytes JMP 00007ffd445901d8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd878151c0 8 bytes JMP 00007ffd44592158 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd878153c0 8 bytes JMP 00007ffd44591cd8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd878154a0 8 bytes JMP 00007ffd44591fd8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd87815520 8 bytes JMP 00007ffd44591f18 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd87815660 8 bytes JMP 00007ffd44592038 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd87815740 8 bytes JMP 00007ffd445919d8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd87815780 8 bytes JMP 00007ffd44591eb8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd87815800 8 bytes JMP 00007ffd44591b58 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd878158a0 8 bytes JMP 00007ffd44591bb8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd878158e0 8 bytes JMP 00007ffd44591f78 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd87815cd0 8 bytes JMP 00007ffd44592218 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPortEx 00007ffd87815cf0 8 bytes JMP 00007ffd44591d98 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd87815d10 8 bytes JMP 00007ffd44591918 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd87815f30 8 bytes JMP 00007ffd445918b8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd87816170 8 bytes JMP 00007ffd44591d38 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd87816230 8 bytes JMP 00007ffd44591a38 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd87816350 8 bytes JMP 00007ffd44591978 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd878163d0 8 bytes JMP 00007ffd44591af8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd878164b0 8 bytes JMP 00007ffd44591a98 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd878164d0 8 bytes JMP 00007ffd44592098 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd878164f0 8 bytes JMP 00007ffd445921b8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd87816d50 8 bytes JMP 00007ffd44591df8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd87816e90 8 bytes JMP 00007ffd445920f8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd87818110 8 bytes JMP 00007ffd44591e58 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd87818250 8 bytes JMP 00007ffd44591c18 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd87818370 8 bytes JMP 00007ffd44591c78 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[9432] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] C:\WINDOWS\System32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffd8458cd7b 3 bytes [8F, 32, 2F] .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] C:\WINDOWS\System32\KERNELBASE.dll!CreateProcessInternalW 00007ffd84591380 5 bytes JMP 00007ffd44590178 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] C:\WINDOWS\System32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffd845b7460 6 bytes JMP 00007ffd44590778 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] C:\WINDOWS\System32\KERNELBASE.dll!CopyFile2 00007ffd845b9f00 7 bytes JMP 00007ffd445906b8 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] C:\WINDOWS\System32\KERNELBASE.dll!CopyFileExW 00007ffd845ba080 7 bytes JMP 00007ffd44590718 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] C:\WINDOWS\System32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd845d0490 7 bytes JMP 00007ffd44590358 .text C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] C:\WINDOWS\System32\KERNELBASE.dll!DefineDosDeviceW 00007ffd845d1dd0 5 bytes JMP 00007ffd445903b8 ? C:\WINDOWS\system32\apphelp.dll [3724] entry point in ".rdata" section 000000006b77f7c0 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\conhost.exe[6984] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\combase.dll!CoCreateInstance 00007ffd84d959c0 6 bytes {JMP QWORD [RIP+0x4ba670]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\combase.dll!CoCreateInstanceEx 00007ffd84dc4fc0 6 bytes {JMP QWORD [RIP+0x46b070]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffd87711110 6 bytes {JMP QWORD [RIP+0x2bef20]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!NotifyServiceStatusChangeA 00007ffd87711170 6 bytes {JMP QWORD [RIP+0x35eec0]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffd8771dbe0 6 bytes {JMP QWORD [RIP+0x2f2450]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!SubscribeServiceChangeNotifications 00007ffd8771dc00 3 bytes [FF, 25, 30] .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!SubscribeServiceChangeNotifications + 4 00007ffd8771dc04 2 bytes [37, 00] .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!StartServiceCtrlDispatcherW 00007ffd8771ee20 6 bytes {JMP QWORD [RIP+0x251210]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!NotifyServiceStatusChange 00007ffd8771f090 6 bytes {JMP QWORD [RIP+0x330fa0]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!I_ScValidatePnPService 00007ffd8771f8c0 6 bytes {JMP QWORD [RIP+0x3b0770]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!I_ScPnPGetServiceName 00007ffd8771f9a0 6 bytes {JMP QWORD [RIP+0x390690]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffd8771fbf0 5 bytes [FF, 25, 40, 04, 29] .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!SetServiceStatus 00007ffd87721170 6 bytes {JMP QWORD [RIP+0x30eec0]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!StartServiceCtrlDispatcherA 00007ffd877285d0 6 bytes {JMP QWORD [RIP+0x267a60]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\sechost.dll!RegisterServiceCtrlHandlerA 00007ffd87728840 6 bytes {JMP QWORD [RIP+0x2c77f0]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\shell32.dll!ShellExecuteExW 00000263f56f2930 6 bytes {JMP QWORD [RIP+0x296d700]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\shell32.dll!Control_RunDLLAsUserW 00000263f588b3e0 6 bytes {JMP QWORD [RIP+0x2814c50]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\shell32.dll!Control_RunDLLW 00000263f588b420 6 bytes {JMP QWORD [RIP+0x27f4c10]} .text C:\WINDOWS\System32\rundll32.exe[9348] C:\WINDOWS\System32\shell32.dll!SHOpenFolderAndSelectItems 00000263f58e9fb0 6 bytes {JMP QWORD [RIP+0x2756080]} ? C:\WINDOWS\SYSTEM32\wship6.dll [7328] entry point in ".rdata" section 00000000680e2470 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7328] entry point in ".rdata" section 000000006d0e8fc0 ? C:\WINDOWS\system32\apphelp.dll [7328] entry point in ".rdata" section 000000006b77f7c0 ? C:\WINDOWS\SYSTEM32\wship6.dll [5456] entry point in ".rdata" section 00000000680e2470 ? C:\WINDOWS\system32\apphelp.dll [9008] entry point in ".rdata" section 000000006b77f7c0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[1896] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\taskhostw.exe[6468] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 ? C:\WINDOWS\SYSTEM32\wship6.dll [5680] entry point in ".rdata" section 00000000680e2470 ? C:\Windows\System32\ActXPrxy.dll [5680] entry point in ".rdata" section 000000005fb89b80 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd877bdb50 7 bytes JMP 00007ffd44590238 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffd87815020 8 bytes JMP 00007ffd445901d8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd878151c0 8 bytes JMP 00007ffd44592158 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd878153c0 8 bytes JMP 00007ffd44591cd8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd878154a0 8 bytes JMP 00007ffd44591fd8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd87815520 8 bytes JMP 00007ffd44591f18 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd87815660 8 bytes JMP 00007ffd44592038 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd87815740 8 bytes JMP 00007ffd445919d8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd87815780 8 bytes JMP 00007ffd44591eb8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd87815800 8 bytes JMP 00007ffd44591b58 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd878158a0 8 bytes JMP 00007ffd44591bb8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd878158e0 8 bytes JMP 00007ffd44591f78 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd87815cd0 8 bytes JMP 00007ffd44592218 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPortEx 00007ffd87815cf0 8 bytes JMP 00007ffd44591d98 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd87815d10 8 bytes JMP 00007ffd44591918 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd87815f30 8 bytes JMP 00007ffd445918b8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd87816170 8 bytes JMP 00007ffd44591d38 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd87816230 8 bytes JMP 00007ffd44591a38 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd87816350 8 bytes JMP 00007ffd44591978 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd878163d0 8 bytes JMP 00007ffd44591af8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd878164b0 8 bytes JMP 00007ffd44591a98 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd878164d0 8 bytes JMP 00007ffd44592098 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd878164f0 8 bytes JMP 00007ffd445921b8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd87816d50 8 bytes JMP 00007ffd44591df8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd87816e90 8 bytes JMP 00007ffd445920f8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd87818110 8 bytes JMP 00007ffd44591e58 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd87818250 8 bytes JMP 00007ffd44591c18 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd87818370 8 bytes JMP 00007ffd44591c78 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendDlgItemMessageW 00007ffd85d51a90 5 bytes JMP 00007ffd44591198 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExA 00007ffd85d52730 12 bytes JMP 00007ffd44590a18 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendMessageW 00007ffd85d60ef0 5 bytes JMP 00007ffd44590e98 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetWindowLongW 00007ffd85d61310 5 bytes JMP 00007ffd44590b98 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetWindowLongPtrW 00007ffd85d67db0 8 bytes JMP 00007ffd44590c58 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendMessageA 00007ffd85d68390 5 bytes JMP 00007ffd44590e38 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendNotifyMessageW 00007ffd85d69530 9 bytes JMP 00007ffd445910d8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetWindowLongPtrA 00007ffd85d697f0 6 bytes JMP 00007ffd44590bf8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!PostMessageW 00007ffd85d6afa0 5 bytes JMP 00007ffd44590d18 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SystemParametersInfoW 00007ffd85d6eb50 5 bytes JMP 00007ffd44591678 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendMessageTimeoutW 00007ffd85d6f5d0 5 bytes JMP 00007ffd44590f58 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SystemParametersInfoA 00007ffd85d73700 5 bytes JMP 00007ffd44591618 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!GetAsyncKeyState 00007ffd85d74530 5 bytes JMP 00007ffd44591318 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!GetKeyState 00007ffd85d74650 6 bytes JMP 00007ffd445912b8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!PostThreadMessageW 00007ffd85d76760 10 bytes JMP 00007ffd44590dd8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendMessageCallbackW 00007ffd85d76bb0 7 bytes JMP 00007ffd44591018 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetWindowsHookExW 00007ffd85d77490 9 bytes JMP 00007ffd44590a78 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetWinEventHook 00007ffd85d77d70 5 bytes JMP 00007ffd44590ad8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!PostThreadMessageA 00007ffd85d78ba0 7 bytes JMP 00007ffd44590d78 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!PostMessageA 00007ffd85d78c20 7 bytes JMP 00007ffd44590cb8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!EnableWindow 00007ffd85d7a310 9 bytes JMP 00007ffd445916d8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!mouse_event 00007ffd85d7b030 7 bytes JMP 00007ffd445909b8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!ExitWindowsEx 00007ffd85d7b460 5 bytes JMP 00007ffd44591738 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetParent 00007ffd85d7b740 8 bytes JMP 00007ffd445913d8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetWindowLongA 00007ffd85d7c0c0 6 bytes JMP 00007ffd44590b38 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SwitchDesktop 00007ffd85d7c210 5 bytes JMP 00007ffd445917f8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendNotifyMessageA 00007ffd85d7f270 12 bytes JMP 00007ffd44591078 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendMessageTimeoutA 00007ffd85d7f2b0 12 bytes JMP 00007ffd44590ef8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!GetClipboardData 00007ffd85d800d0 5 bytes JMP 00007ffd44591558 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetClipboardViewer 00007ffd85d80480 8 bytes JMP 00007ffd44591498 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!EndTask 00007ffd85db3370 5 bytes JMP 00007ffd44590418 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendMessageCallbackA 00007ffd85de29d0 7 bytes JMP 00007ffd44590fb8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SetSystemCursor 00007ffd85de6e50 5 bytes JMP 00007ffd44591858 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!keybd_event 00007ffd85de7700 7 bytes JMP 00007ffd44590958 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\USER32.dll!SendDlgItemMessageA 00007ffd85de7f80 5 bytes JMP 00007ffd44591138 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\win32u.dll!NtUserMoveWindow 00007ffd84ac1c30 8 bytes JMP 00007ffd44591438 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\win32u.dll!NtUserGetKeyboardState 00007ffd84ac1f70 8 bytes JMP 00007ffd44591258 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\win32u.dll!NtUserSendInput 00007ffd84ac20b0 8 bytes JMP 00007ffd445911f8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\win32u.dll!NtUserBlockInput 00007ffd84ac7870 8 bytes JMP 00007ffd445914f8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\win32u.dll!NtUserClipCursor 00007ffd84ac7a50 8 bytes JMP 00007ffd44591798 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\win32u.dll!NtUserRegisterHotKey 00007ffd84ac9090 8 bytes JMP 00007ffd445915b8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\win32u.dll!NtUserRegisterRawInputDevices 00007ffd84ac9110 8 bytes JMP 00007ffd44591378 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!DeleteDC 00007ffd85ec2080 5 bytes JMP 00007ffd44590658 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffd85ec2e80 5 bytes JMP 00007ffd445907d8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!StretchBlt 00007ffd85ec3010 5 bytes JMP 00007ffd445908f8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!CreateDCA 00007ffd85ec38a0 5 bytes JMP 00007ffd44590478 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!CreateDCW 00007ffd85ec4190 6 bytes JMP 00007ffd445904d8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!GetPixel 00007ffd85ec4660 5 bytes JMP 00007ffd44590538 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!GdiAlphaBlend 00007ffd85ec5450 6 bytes JMP 00007ffd445905f8 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!GdiTransparentBlt 00007ffd85ec54e0 6 bytes JMP 00007ffd44590598 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!PlgBlt 00007ffd85ec56c0 6 bytes JMP 00007ffd44590898 .text C:\WINDOWS\system32\AUDIODG.EXE[9468] C:\WINDOWS\System32\GDI32.dll!MaskBlt 00007ffd85ecbe50 6 bytes JMP 00007ffd44590838 ? C:\WINDOWS\system32\apphelp.dll [4868] entry point in ".rdata" section 000000006b77f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[2536] @ C:\WINDOWS\System32\KERNEL32.DLL[KERNELBASE.dll!MapViewOfFileExNuma] [7ffd7e8133f0] IAT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe[8984] @ C:\WINDOWS\System32\KERNEL32.DLL[KERNELBASE.dll!MapViewOfFileExNuma] [7ffd7e8133f0] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\lsass.exe [904:924] 00007ffd834ff550 Thread C:\WINDOWS\system32\svchost.exe [992:556] 00007ffd8198faa0 Thread C:\WINDOWS\system32\svchost.exe [992:592] 00007ffd8198ee70 Thread C:\WINDOWS\system32\svchost.exe [992:628] 00007ffd817889f0 Thread C:\WINDOWS\system32\svchost.exe [360:8132] 00007ffd81f37070 Thread C:\WINDOWS\system32\svchost.exe [360:7184] 00007ffd81f37070 Thread C:\WINDOWS\system32\svchost.exe [916:1156] 00007ffd80303270 Thread C:\WINDOWS\system32\svchost.exe [916:1992] 00007ffd7a7350c0 Thread C:\WINDOWS\system32\svchost.exe [916:2136] 00007ffd77231a50 Thread C:\WINDOWS\system32\svchost.exe [916:2440] 00007ffd760739b0 Thread C:\WINDOWS\system32\svchost.exe [916:3752] 00007ffd7dcd7ac0 Thread C:\WINDOWS\system32\svchost.exe [916:3756] 00007ffd7dcd7ac0 Thread C:\WINDOWS\system32\svchost.exe [916:3828] 00007ffd823e1040 Thread C:\WINDOWS\system32\svchost.exe [916:3832] 00007ffd824948e0 Thread C:\WINDOWS\system32\svchost.exe [916:3836] 00007ffd824948e0 Thread C:\WINDOWS\system32\svchost.exe [916:3880] 00007ffd82121930 Thread C:\WINDOWS\system32\svchost.exe [916:8036] 00007ffd7d8230f0 Thread C:\WINDOWS\system32\svchost.exe [916:6428] 00007ffd7d792cf0 Thread C:\WINDOWS\system32\svchost.exe [916:5472] 00007ffd7e8650a0 Thread C:\WINDOWS\system32\svchost.exe [1236:1356] 00007ffd811a04c0 Thread C:\WINDOWS\system32\svchost.exe [1236:1940] 00007ffd82956750 Thread C:\WINDOWS\system32\svchost.exe [1236:1160] 00007ffd82956750 Thread C:\WINDOWS\system32\svchost.exe [1236:644] 00007ffd82956750 Thread C:\WINDOWS\system32\svchost.exe [1236:1192] 00007ffd778fc5a0 Thread C:\WINDOWS\system32\svchost.exe [1236:1184] 00007ffd79966cf0 Thread C:\WINDOWS\system32\svchost.exe [1236:2056] 00007ffd778feab0 Thread C:\WINDOWS\system32\svchost.exe [1236:2284] 00007ffd778fd2d0 Thread C:\WINDOWS\system32\svchost.exe [1236:2288] 00007ffd778fe100 Thread C:\WINDOWS\system32\svchost.exe [1236:2320] 00007ffd770caf40 Thread C:\WINDOWS\system32\svchost.exe [1236:2352] 00007ffd770cca00 Thread C:\WINDOWS\system32\svchost.exe [1236:2892] 00007ffd74f51240 Thread C:\WINDOWS\system32\svchost.exe [1236:2896] 00007ffd74f8a3b0 Thread C:\WINDOWS\system32\svchost.exe [1236:2900] 00007ffd74f225e0 Thread C:\WINDOWS\system32\svchost.exe [1236:3784] 00007ffd75fa3bc0 Thread C:\WINDOWS\system32\svchost.exe [1236:8436] 00007ffd75fa2080 Thread C:\WINDOWS\system32\svchost.exe [1252:1480] 00007ffd80092b40 Thread C:\WINDOWS\system32\svchost.exe [1252:1524] 00007ffd7e930290 Thread C:\WINDOWS\system32\svchost.exe [1252:1528] 00007ffd7e92f8e0 Thread C:\WINDOWS\system32\svchost.exe [1252:1664] 00007ffd7d71a420 Thread C:\WINDOWS\system32\svchost.exe [1252:1720] 00007ffd7d7183a0 Thread C:\WINDOWS\system32\svchost.exe [1252:1724] 00007ffd7d71b090 Thread C:\WINDOWS\system32\svchost.exe [1252:1728] 00007ffd7d71a9a0 Thread C:\WINDOWS\system32\svchost.exe [1252:1732] 00007ffd7d71a770 Thread C:\WINDOWS\system32\svchost.exe [1252:2660] 00007ffd753799e0 Thread C:\WINDOWS\system32\svchost.exe [1252:2664] 00007ffd7d792cf0 Thread C:\WINDOWS\system32\svchost.exe [1252:3052] 00007ffd7d718b00 Thread C:\WINDOWS\system32\svchost.exe [1252:4228] 00007ffd80093c70 Thread C:\WINDOWS\system32\svchost.exe [1252:9524] 00007ffd7e752a20 Thread C:\WINDOWS\system32\svchost.exe [1252:9012] 00007ffd7e752610 Thread C:\WINDOWS\System32\svchost.exe [1544:1596] 00007ffd7d9b3210 Thread C:\WINDOWS\System32\svchost.exe [1544:1604] 00007ffd7d943ba0 Thread C:\WINDOWS\System32\svchost.exe [1572:1624] 00007ffd7d8ef050 Thread C:\WINDOWS\System32\svchost.exe [1572:1684] 00007ffd7d6bc030 Thread C:\WINDOWS\System32\svchost.exe [1572:1704] 00007ffd7d6b7000 Thread C:\WINDOWS\System32\svchost.exe [1572:1712] 00007ffd7d6bad30 Thread C:\WINDOWS\System32\svchost.exe [1572:1716] 00007ffd7d6b8370 Thread C:\WINDOWS\System32\svchost.exe [1572:1988] 00007ffd793f87e0 Thread C:\WINDOWS\System32\svchost.exe [1572:3112] 00007ffd7d8230f0 Thread C:\WINDOWS\System32\svchost.exe [1572:3736] 00007ffd756fc820 Thread C:\WINDOWS\System32\svchost.exe [1572:3740] 00007ffd756fc820 Thread C:\WINDOWS\System32\svchost.exe [1572:10152] 00007ffd7d6bc830 Thread C:\WINDOWS\System32\svchost.exe [1572:8308] 00007ffd7d6b7d50 Thread C:\WINDOWS\system32\svchost.exe [1688:1764] 00007ffd7c3de830 Thread C:\WINDOWS\system32\svchost.exe [1688:1780] 00007ffd7be510a0 Thread C:\WINDOWS\system32\svchost.exe [1688:1844] 00007ffd7be3a5e0 Thread C:\WINDOWS\system32\svchost.exe [1688:2652] 00007ffd7d7caee0 Thread C:\WINDOWS\system32\svchost.exe [1688:2656] 00007ffd7d792cf0 Thread C:\WINDOWS\system32\svchost.exe [1688:2800] 00007ffd753a5bc0 Thread C:\WINDOWS\system32\svchost.exe [1688:2808] 00007ffd753a9b10 Thread C:\WINDOWS\system32\svchost.exe [1688:2812] 00007ffd7d792cf0 Thread C:\WINDOWS\system32\svchost.exe [1688:4316] 00007ffd7be3a5e0 Thread C:\WINDOWS\system32\svchost.exe [1828:1948] 00007ffd8501b310 Thread C:\WINDOWS\system32\svchost.exe [1828:2088] 00007ffd772d44b0 Thread C:\WINDOWS\system32\svchost.exe [1828:2768] 00007ffd82956750 Thread C:\WINDOWS\SysWoW64\svchost.exe [2060:2752] 0000000070b42ea0 Thread C:\WINDOWS\system32\dashost.exe [2508:3128] 00007ffd7d8230f0 Thread C:\WINDOWS\system32\svchost.exe [1956:3096] 00007ffd749bb180 Thread C:\WINDOWS\system32\svchost.exe [1956:3100] 00007ffd749bf5f0 Thread C:\WINDOWS\system32\svchost.exe [1956:3152] 00007ffd752f5bc0 Thread C:\WINDOWS\system32\svchost.exe [1956:3156] 00007ffd75307d70 Thread C:\WINDOWS\system32\svchost.exe [1956:7916] 00007ffd5f7459f0 Thread C:\WINDOWS\system32\svchost.exe [1956:7296] 00007ffd5f76b2b0 Thread C:\WINDOWS\system32\svchost.exe [1956:1904] 00007ffd5f76b2b0 Thread C:\WINDOWS\system32\svchost.exe [1956:8696] 00007ffd749d6130 Thread C:\WINDOWS\System32\svchost.exe [3244:3300] 00007ffd741d98a0 Thread C:\WINDOWS\system32\wbem\wmiprvse.exe [3812:3872] 00007ffd82223490 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4252:4300] 00007ffd72907944 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4252:4308] 00007ffd727cbeb4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4252:668] 00007ffd727cbeb4 Thread C:\WINDOWS\SysWoW64\svchost.exe [6996:1420] 0000000002a80422 Thread C:\WINDOWS\SysWoW64\svchost.exe [6996:7552] 0000000002a80422 Thread C:\WINDOWS\SysWoW64\svchost.exe [6996:7560] 0000000002a80422 Thread C:\WINDOWS\SysWoW64\svchost.exe [6996:7564] 0000000002a80422 Thread C:\WINDOWS\SysWoW64\svchost.exe [6996:6424] 0000000002a80422 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [7812:8008] 00007ffd87723db0 Thread C:\WINDOWS\system32\svchost.exe [1444:7988] 00007ffd756fc820 Thread C:\WINDOWS\system32\svchost.exe [1444:6624] 00007ffd756fc820 Thread C:\WINDOWS\Explorer.EXE [7424:5108] 00007ffd82e1faa0 Thread C:\WINDOWS\Explorer.EXE [7424:6764] 00007ffd7d792cf0 Thread C:\WINDOWS\Explorer.EXE [7424:4580] 00007ffd7d792cf0 Thread C:\WINDOWS\Explorer.EXE [7424:768] 00007ffd73eabb70 Thread C:\WINDOWS\Explorer.EXE [7424:8932] 00007ffd7be3a5e0 Thread C:\WINDOWS\Explorer.EXE [7424:820] 00007ffd7d792cf0 Thread C:\WINDOWS\Explorer.EXE [7424:7132] 00007ffd7d792cf0 Thread C:\WINDOWS\Explorer.EXE [7424:6812] 00007ffd79f11ba0 Thread C:\WINDOWS\Explorer.EXE [7424:5428] 00007ffd691136f0 Thread C:\WINDOWS\Explorer.EXE [7424:7404] 00007ffd691220e0 Thread C:\WINDOWS\Explorer.EXE [7424:6664] 00007ffd644d8390 Thread C:\WINDOWS\Explorer.EXE [7424:6612] 00007ffd691220e0 Thread C:\WINDOWS\Explorer.EXE [7424:1292] 00007ffd691220e0 Thread C:\WINDOWS\Explorer.EXE [7424:8628] 00007ffd79ba6be0 Thread C:\WINDOWS\Explorer.EXE [7424:6968] 00007ffd691220e0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:3168] 00007ffd84dc58f0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4856] 00007ffd83d059c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:536] 00007ffd6cc02bc0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:5772] 00007ffd7bf748e0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:10080] 00007ffd83d059c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:3208] 00007ffd6cc02bc0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:1432] 00007ffd83d059c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4752] 00007ffd6cc02bc0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:8716] 00007ffd84dc58f0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4916] 00007ffd794de010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:8576] 00007ffd794de010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:3892] 00007ffd6ca88600 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4160] 00007ffd6ca88600 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:5288] 00007ffd6ca88600 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:3768] 00007ffd6ca88600 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:9396] 00007ffd83d059c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:6952] 00007ffd6cc02bc0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:9060] 00007ffd794de010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:7664] 00007ffd83d059c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:8540] 00007ffd6cc02bc0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:2796] 00007ffd794de010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:9240] 00007ffd81b911a0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:5240] 00007ffd78a997b0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4112] 00007ffd83d070d0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:9068] 00007ffd7c28caf0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:8892] 00007ffd7c28caf0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:2776] 00007ffd84dc58f0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:1404] 00007ffd84dc58f0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:2744] 00007ffd83d059c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:1808] 00007ffd794de010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4400] 00007ffd7c28caf0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4896] 00007ffd810730f0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:2620] 00007ffd6cac8ff0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:4516] 00007ffd6cac8ff0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:8164] 00007ffd6cac8ff0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:9832] 00007ffd6cac8ff0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [2476:5852] 00007ffd6cac8ff0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:10132] 00007ffd84dc58f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:5840] 00007ffd83d059c0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:8460] 00007ffd6cc02bc0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:6708] 00007ffd7bf748e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:7488] 00007ffd794de010 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:3864] 00007ffd8501b310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:4860] 00007ffd67db0600 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:4676] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:5220] 00007ffd67de7ed0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:1348] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:9304] 00007ffd8501b310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:5364] 00007ffd8501b310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:9244] 00007ffd67e326d0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:232] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:4840] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:5544] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:8980] 00007ffd84dc58f0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:896] 00007ffd83d070d0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:7236] 00007ffd81b911a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [9200:8172] 00007ffd6cac8ff0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [6040:2116] 00007ffd756fc820 Thread C:\WINDOWS\system32\SettingSyncHost.exe [6040:9920] 00007ffd756fc820 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:5180] 0000000067d0f225 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:9676] 0000000067d0f225 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:5204] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:1740] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:3068] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:4344] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:7064] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:5384] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:7108] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:8832] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:9284] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:6792] 000000006aefbfb4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:2780] 000000006b2d25a0 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:9656] 0000000068ab2823 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:2692] 0000000068ab2823 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:5684] 0000000068ab2823 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:2120] 0000000068ab2823 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:6652] 0000000068706b77 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:7292] 0000000068706b77 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:1276] 0000000068706b77 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:6636] 000000006af4c9a7 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:3484] 0000000067ffb8a4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:9456] 0000000067ffb8a4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:2544] 0000000067ffb8a4 Thread C:\Users\Janusz\AppData\Local\Microsoft\OneDrive\OneDrive.exe [4936:8944] 000000006b53c1d0 Thread C:\WINDOWS\system32\svchost.exe [10148:1824] 00007ffd6de65730 Thread C:\WINDOWS\system32\svchost.exe [3136:224] 00007ffd80aaa3f0 Thread C:\WINDOWS\system32\svchost.exe [3136:9628] 00007ffd80aaa3f0 Thread C:\WINDOWS\system32\mmc.exe [2456:1568] 00007ffd5aef1d10 Thread C:\WINDOWS\system32\mmc.exe [2456:6692] 00007ffd5aef1d10 Thread C:\WINDOWS\system32\mmc.exe [2456:5980] 00007ffd5b004460 Thread C:\WINDOWS\system32\mmc.exe [2456:2904] 00007ffd810730f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:8904] 00007ffd785f1eb0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:8476] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:5032] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:6204] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:3124] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:4932] 00007ffd785f16c0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:5276] 00007ffd5f05d260 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:4832] 00007ffd5f05d690 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:6024] 00007ffd5f05bb90 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:4572] 00007ffd7c85a550 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:4368] 00007ffd7bf748e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:2832] 00007ffd7c859660 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:9800] 00007ffd67bbdb30 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:452] 00007ffd67db0600 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:5420] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:3352] 00007ffd67de7ed0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:9824] 00007ffd67e326d0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:9556] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:4224] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:2452] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:1908] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:10012] 00007ffd7c859660 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [2536:5516] 00007ffd67e326d0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:8556] 00007ffd785f1eb0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:2992] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:6100] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:4800] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:6592] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:9276] 00007ffd785f16c0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:7676] 00007ffd5f05d260 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:3844] 00007ffd5f05d690 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:8200] 00007ffd5f05bb90 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:7104] 00007ffd67bbdb30 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:6956] 00007ffd67db0600 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:6936] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:4148] 00007ffd67de7ed0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:7304] 00007ffd7bf748e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:1936] 00007ffd67e326d0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:984] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:4480] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:2916] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [7600:2700] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:4652] 00007ffd785f1eb0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:4736] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:4592] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:7188] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:1324] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:2516] 00007ffd785f16c0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:6104] 00007ffd5f05d260 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:1460] 00007ffd5f05d690 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:352] 00007ffd5f05bb90 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:5144] 00007ffd7c85a550 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:7868] 00007ffd7c859660 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:8228] 00007ffd651c8800 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:8528] 00007ffd587e1670 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:9160] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:8120] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:5380] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:4124] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:3796] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:2852] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:6116] 00007ffd651c8800 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:5704] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:9608] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:9368] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [4900:3176] 00007ffd585672f0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:3000] 00007ffd785f1eb0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:2292] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:9452] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:1944] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:560] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:4988] 00007ffd785f16c0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:9260] 00007ffd5f05d260 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:8772] 00007ffd5f05d690 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:764] 00007ffd5f05bb90 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:8888] 00007ffd7c85a550 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:6712] 00007ffd7c859660 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:6788] 00007ffd67bbdb30 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:5992] 00007ffd67db0600 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:3504] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:9924] 00007ffd67de7ed0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:5452] 00007ffd7bf748e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:5000] 00007ffd67e326d0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:5424] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:9108] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8984:6284] 00007ffd67e2a9e0 Thread C:\WINDOWS\SysWoW64\rundll32.exe [3724:5104] 0000000004a70422 Thread C:\WINDOWS\SysWoW64\rundll32.exe [3724:5496] 0000000004a70422 Thread C:\WINDOWS\SysWoW64\rundll32.exe [3724:9308] 0000000004a70422 Thread C:\WINDOWS\SysWoW64\rundll32.exe [3724:3456] 0000000004a70422 Thread C:\WINDOWS\SysWoW64\rundll32.exe [3724:4568] 0000000004a70422 Thread C:\WINDOWS\SYSTEM32\notepad.exe [4244:8660] 00007ffd691220e0 Thread C:\WINDOWS\SYSTEM32\notepad.exe [4244:8588] 00007ffd691220e0 Thread C:\WINDOWS\SYSTEM32\notepad.exe [4244:5148] 00007ffd691220e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:1628] 00007ffd785f1eb0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:4232] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:2556] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:4680] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:5416] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:292] 00007ffd785f16c0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:7808] 00007ffd5f05d260 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:8328] 00007ffd5f05d690 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:6892] 00007ffd5f05bb90 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:7144] 00007ffd67bbdb30 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:4612] 00007ffd67db0600 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:2636] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:4272] 00007ffd67de7ed0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:1208] 00007ffd7bf748e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:8260] 00007ffd67e326d0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:8208] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:800] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:1088] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:8456] 00007ffd67e2a9e0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [816:4848] 00007ffd794de010 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:7544] 00007ffd785f1eb0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:5640] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:7260] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:9328] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:2976] 00007ffd785f2150 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:4772] 00007ffd785f16c0 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:8996] 00007ffd5f05d260 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:4876] 00007ffd5f05d690 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:9668] 00007ffd5f05bb90 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:9688] 00007ffd7c85a550 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:2628] 00007ffd7c859660 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:6184] 00007ffd651c8800 Thread C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe [8812:5048] 00007ffd587e1670 Thread C:\WINDOWS\system32\taskhostw.exe [6468:9560] 00007ffd76db0610 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 873264329 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a4db30a14432 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\AV\Settings\RealTime@ScanningMode 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\SBSettings@SBMode 329563 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x42 0xE7 0x25 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x42 0x4F 0xEA 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x42 0x7F 0x61 0xDA ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 703 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x59 0x59 0x3D 0x30 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x59 0x59 0x3D 0x30 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x59 0x59 0x3D 0x30 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x59 0x59 0x3D 0x30 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----