GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-17 19:17:41 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000022 ST500LT012-1DG142 rev.0002LVM1 465,76GB Running: fgsy7mvg.exe; Driver: C:\Users\Ikar\AppData\Local\Temp\fxrdapog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960000c8d00 15 bytes [00, E4, F2, 01, 80, 8C, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff960000c8d10 11 bytes [00, 72, FC, FF, 00, 09, CB, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x87ee60]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x7dee00]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x89eb50]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8beb00]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8fe3a0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x83e380]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x93ab50]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7f02b0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x90c8f0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x94ba20]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x80b4b0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x94bb10]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8a1080]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\lsass.exe[740] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x87ee60]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x7dee00]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x89eb50]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8beb00]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8fe3a0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x83e380]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x93ab50]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7f02b0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x90c8f0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x94ba20]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x80b4b0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x94bb10]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8a1080]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x87ee60]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x7dee00]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x89eb50]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8beb00]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8fe3a0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x83e380]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x93ab50]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7f02b0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x90c8f0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x94ba20]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x80b4b0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x94bb10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8a1080]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x87ee60]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x7dee00]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x89eb50]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8beb00]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8fe3a0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x83e380]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x93ab50]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7f02b0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x90c8f0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x94ba20]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x80b4b0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x94bb10]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8a1080]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\WINDOWS\system32\dwm.exe[992] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[1012] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xa1ee60]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x9fee10]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x97ee00]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x95edf0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xa3eb50]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xa5eb00]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xa9e3a0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x9de380]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x7bcc40]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x7fca90]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x87bd20]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xadab50]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x83a910]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x8b9d80]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x776c60]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [8F, 00] .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x9902b0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xaac8f0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 74] .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xaeba20]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x9ab4b0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x7baa80]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x77a710]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x7f9ea0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xaebb10]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x909bb0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x8a3a10]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xa41080]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x820a30]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x88f100]} .text C:\WINDOWS\system32\atiesrxx.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x80e740]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\System32\svchost.exe[444] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x87ee60]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x7dee00]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x89eb50]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8beb00]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8fe3a0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x83e380]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x93ab50]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7f02b0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x90c8f0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x94ba20]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x80b4b0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x94bb10]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8a1080]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9e9b00d8 .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x28aee60]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x288ee10]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x280ee00]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x27eedf0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x28ceb50]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x28eeb00]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x292e3a0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x286e380]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x93cc40]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x97ca90]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x242bd20]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x296ab50]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x9ba910]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x24e9d80]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x899ca0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x8f6c60]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [52, 02] .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x28202b0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x293c8f0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 8C] .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x297ba20]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x283b4b0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x8a8f30]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x93aa80]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x8fa710]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x979ea0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x297bb10]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x2799bb0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x24d3a10]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x28d1080]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x9a0a30]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x26cf100]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x243e740]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\WINDOWS\system32\atieclxx.exe[1092] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\System32\svchost.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x8aee60]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x88ee10]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x80ee00]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7eedf0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x8ceb50]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8eeb00]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x92e3a0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x86e380]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4fcc40]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x53ca90]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x5bbd20]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x96ab50]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x57a910]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5f9d80]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x459ca0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x4b6c60]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x416130]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [78, 00] .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8202b0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x93c8f0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 48] .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x97ba20]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x83b4b0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x468f30]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4faa80]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x4ba710]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x539ea0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x97bb10]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x799bb0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x733a10]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8d1080]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x560a30]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x3df0d0]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x376a10]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x71f100]} .text C:\WINDOWS\System32\spoolsv.exe[1452] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x54e740]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x87ee60]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x7dee00]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x89eb50]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8beb00]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8fe3a0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x83e380]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x93ab50]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7f02b0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x90c8f0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x94ba20]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x80b4b0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x94bb10]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8a1080]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x90ee60]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x8eee10]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x92eb50]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x94eb00]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x98e3a0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x8ce380]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x9cab50]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x99c8f0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x1efba20]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x89b4b0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x1efbb10]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x931080]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes JMP 430 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x200ee60]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x1feee10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x1f6ee00]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x1f4edf0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x202eb50]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x204eb00]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x24be3a0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x1fce380]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x7bcc40]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x8cca90]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x94bd20]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x24fab50]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x90a910]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x989d80]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x776c60]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [9C, 00] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x1f802b0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x24cc8f0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 74] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x250ba20]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x1f9b4b0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x88aa80]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x77a710]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x8c9ea0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x250bb10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x1ef9bb0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x973a10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x21f1080]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x8f0a30]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x1e7f100]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x8de740]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9e9b00d8 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xb7eb50]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xb9eb00]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xbde3a0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x8fcc40]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x93ca90]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x9bbd20]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xc1ab50]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x97a910]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x789ca0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x8b6c60]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x416130]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [A3, 00] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xbec8f0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 88] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xc2ba20]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x798f30]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x8faa80]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x8ba710]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x939ea0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xc2bb10]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xb81080]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x960a30]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x70f0d0]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x376a10]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x94e740]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x200ee60]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x1feee10]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x1f6ee00]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x1f4edf0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x202eb50]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x204eb00]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x24be3a0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x1fce380]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x7bcc40]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x8cca90]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x94bd20]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x24fab50]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x90a910]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x989d80]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x776c60]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [9C, 00] .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x1f802b0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x24cc8f0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 74] .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x250ba20]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x1f9b4b0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x88aa80]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x77a710]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x8c9ea0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x250bb10]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes JMP 43ff0400 .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x973a10]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x21f1080]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x8f0a30]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes JMP c1158d48 .text C:\WINDOWS\system32\CxAudMsg64.exe[1912] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x8de740]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\System32\svchost.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\dashost.exe[1988] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x90ee60]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x8eee10]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x92eb50]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x94eb00]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x98e3a0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x8ce380]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x9cab50]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x99c8f0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x9dba20]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x89b4b0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x9dbb10]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x931080]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\Program Files\Elantech\ETDService.exe[2024] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x200ee60]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x1feee10]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x1f6ee00]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x1f4edf0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x202eb50]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x204eb00]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x24be3a0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x1fce380]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x7bcc40]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x8cca90]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x94bd20]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x24fab50]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x90a910]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x989d80]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x776c60]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [9C, 00] .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x1f802b0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x24cc8f0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 74] .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x250ba20]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x1f9b4b0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x88aa80]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x77a710]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x8c9ea0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x250bb10]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x1ef9bb0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x973a10]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x21f1080]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes JMP 0 .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes JMP 240020 .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x1e7f100]} .text C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x8de740]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xaeee60]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0xacee10]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0xa4ee00]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0xa2edf0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xb0eb50]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xb2eb00]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xb6e3a0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0xaae380]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x7bcc40]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x8cca90]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x94bd20]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xbaab50]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x90a910]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x989d80]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x776c60]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [9C, 00] .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0xa602b0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xb7c8f0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 74] .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xbbba20]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0xa7b4b0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x88aa80]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x77a710]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x8c9ea0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xbbbb10]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x9d9bb0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x973a10]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xb11080]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x8f0a30]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x95f100]} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x8de740]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[2284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x28fee60]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x28dee10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x285ee00]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 4 bytes [FF, 25, F0, ED] .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendInput + 5 00007ffd9f081245 1 byte [02] .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x291eb50]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x293eb00]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x297e3a0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x28be380]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x8ccc40]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x90ca90]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x24fbd20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x29bab50]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x24ba910]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x2539d80]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x759ca0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x7b6c60]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [7D, 02] .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x298c8f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 78] .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x29cba20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x288b4b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x768f30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x8caa80]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x88a710]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x2209ea0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x29cbb10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x27e9bb0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x2783a10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x2921080]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x24a0a30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x276f100]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x248e740]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2904] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x94ee60]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x92ee10]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x96eb50]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x98eb00]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x9ce3a0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xa0ab50]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x9dc8f0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xa1ba20]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xa1bb10]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x971080]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\WINDOWS\system32\taskhostex.exe[3012] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x94ee60]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes JMP baf .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x96eb50]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x98eb00]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x9ce3a0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x221c8f0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes JMP 54 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes JMP 54 .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x971080]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\WINDOWS\Explorer.EXE[3028] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x8aee60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x88ee10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x80ee00]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7eedf0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x8ceb50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8eeb00]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x92e3a0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x86e380]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4fcc40]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x53ca90]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x5bbd20]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x96ab50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x57a910]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5f9d80]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x459ca0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x4b6c60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x416130]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [78, 00] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8202b0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x93c8f0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 48] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x97ba20]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x83b4b0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x468f30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4faa80]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x4ba710]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x539ea0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x97bb10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x799bb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x733a10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8d1080]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x560a30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x3df0d0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x376a10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x71f100]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x54e740]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[3156] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[3408] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x8aee60]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x88ee10]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x80ee00]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7eedf0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x8ceb50]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8eeb00]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x92e3a0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x86e380]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4fcc40]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x53ca90]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x5bbd20]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x96ab50]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x57a910]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5f9d80]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x459ca0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x4b6c60]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x416130]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [78, 00] .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8202b0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x93c8f0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 48] .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x97ba20]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x83b4b0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x468f30]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4faa80]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x4ba710]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x539ea0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x97bb10]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x799bb0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x733a10]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8d1080]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x560a30]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x3df0d0]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x376a10]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x71f100]} .text C:\WINDOWS\System32\alg.exe[3508] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x54e740]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\System32\svchost.exe[3748] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9e9b00d8 .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x24bee60]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x222ee10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x24deb50]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x24feb00]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x253e3a0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x27dab50]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x27ac8f0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x27eba20]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x27ebb10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x24e1080]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x24bee60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x222ee10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x24deb50]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x24feb00]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x253e3a0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x27dab50]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes JMP 4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x27eba20]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x27ebb10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x24e1080]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x24bee60]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x222ee10]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x24deb50]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x24feb00]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x253e3a0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x27dab50]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x27ac8f0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x27eba20]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x27ebb10]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x24e1080]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files\Elantech\ETDIntelligent.exe[3092] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x94ee60]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x92ee10]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x96eb50]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x98eb00]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x9ce3a0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xa0ab50]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x9dc8f0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xa1ba20]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xa1bb10]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x971080]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\Windows\System32\SettingSyncHost.exe[3472] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x94ee60]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x92ee10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x96eb50]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x98eb00]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x9ce3a0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xa0ab50]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x9dc8f0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xa1ba20]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xa1bb10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x971080]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\WINDOWS\system32\SearchIndexer.exe[3196] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\DllHost.exe[240] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x9bee60]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x99ee10]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x91ee00]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x8fedf0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x9deb50]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x242eb00]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x24ee3a0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x97e380]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x53cc40]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x57ca90]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x5fbd20]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x252ab50]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x5ba910]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x499ca0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x4f6c60]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x456130]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 5 00007ffd9f08b7f5 1 byte [00] .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x9302b0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x24fc8f0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 4C] .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x274ba20]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x94b4b0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x4a8f30]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x53aa80]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x4fa710]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x579ea0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x279bb10]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x8a9bb0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x2491080]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x5a0a30]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x41f0d0]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x3b6a10]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x82f100]} .text C:\Windows\System32\skydrive.exe[4420] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x28aee60]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x288ee10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x280ee00]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x27eedf0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x28ceb50]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x28eeb00]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x292e3a0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x286e380]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x93cc40]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x97ca90]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x242bd20]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x296ab50]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x9ba910]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x24e9d80]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x899ca0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x8f6c60]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x786130]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [52, 02] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x293c8f0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes JMP 750074 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x297ba20]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x283b4b0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x8a8f30]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x93aa80]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x8fa710]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x979ea0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x297bb10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x2799bb0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x24d3a10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x28d1080]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x9a0a30]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x74f0d0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x6e6a10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x243e740]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x87ee60]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x7dee00]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x89eb50]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x8beb00]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8fe3a0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x83e380]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x93ab50]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7f02b0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x90c8f0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x94ba20]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x80b4b0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x94bb10]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x8a1080]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x28aee60]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x288ee10]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x280ee00]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes JMP feeefeee .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x28ceb50]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x28eeb00]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x292e3a0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x286e380]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x93cc40]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x97ca90]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x242bd20]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x296ab50]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x9ba910]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x24e9d80]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x899ca0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x8f6c60]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x786130]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [52, 02] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x28202b0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x293c8f0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 8C] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x297ba20]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x283b4b0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x8a8f30]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x93aa80]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x8fa710]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x979ea0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x297bb10]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x2799bb0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x24d3a10]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x28d1080]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x9a0a30]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x74f0d0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x6e6a10]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x26cf100]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x243e740]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xade3a0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x7fcc40]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x83ca90]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x8bbd20]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xb1ab50]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x87a910]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x8f9d80]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x759ca0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes JMP 0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes JMP fb1 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [93, 00] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes JMP 0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xaec8f0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 78] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xb2ba20]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x9eb4b0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x768f30]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x7faa80]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x7ba710]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x839ea0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xb2bb10]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x860a30]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x8cf100]} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x84e740]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x28fee60]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x28dee10]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x285ee00]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 4 bytes [FF, 25, F0, ED] .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendInput + 5 00007ffd9f081245 1 byte [02] .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x291eb50]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x293eb00]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x297e3a0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x28be380]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x8ccc40]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x90ca90]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x24fbd20]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x29bab50]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x24ba910]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x2539d80]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x759ca0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x7b6c60]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [7D, 02] .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x28702b0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x298c8f0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 78] .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x29cba20]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x288b4b0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x768f30]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x8caa80]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x88a710]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x2209ea0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x29cbb10]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x27e9bb0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x2783a10]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x2921080]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x24a0a30]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x276f100]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x248e740]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Windows\RTFTrack.exe[5420] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x283ee60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x281ee10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x253ee00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x251edf0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x285eb50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x287eb00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x28be3a0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x27fe380]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x8ccc40]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x90ca90]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x98bd20]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x28fab50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x94a910]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x9c9d80]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x759ca0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x7b6c60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [4B, 02] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x27b02b0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x28cc8f0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 78] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x290ba20]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x27cb4b0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x768f30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x8caa80]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x88a710]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x909ea0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x290bb10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x24c9bb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x21f3a10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x2861080]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x930a30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x244f100]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x91e740]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x94ee60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x92ee10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x96eb50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x98eb00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x9ce3a0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x24bab50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x221c8f0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x24cba20]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x24cbb10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x971080]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9e9b00d8 .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x252ee60]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x250ee10]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x91ee00]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x8fedf0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x275eb50]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x27ceb00]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x280e3a0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x24ee380]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x53cc40]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x57ca90]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x5fbd20]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x284ab50]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x5ba910]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x499ca0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x4f6c60]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x456130]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 5 00007ffd9f08b7f5 1 byte [00] .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x24202b0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x281c8f0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 4C] .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x285ba20]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x24bb4b0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x4a8f30]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x53aa80]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x4fa710]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x579ea0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x285bb10]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x8a9bb0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x27b1080]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x5a0a30]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x41f0d0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x3b6a10]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x82f100]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files\K2T\WTW\wtw.exe[6036] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x94ee60]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x92ee10]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8aee00]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x96eb50]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x98eb00]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x9ce3a0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x90e380]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4ccc40]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x24bab50]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x429ca0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x486c60]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8c02b0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x221c8f0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 45] .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x24cba20]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x8db4b0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x438f30]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x48a710]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x24cbb10]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x971080]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x6ef100]} .text C:\WINDOWS\System32\Taskmgr.exe[3596] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffd9f334260 6 bytes {JMP QWORD [RIP+0x19bdd0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffd9f3423c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffd9f343390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd9eba8d80 6 bytes {JMP QWORD [RIP+0xdb72b0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, DC] .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0xde6ce0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0xe25b10]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0xde4080]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffda15d48f0 6 bytes {JMP QWORD [RIP+0x2fb740]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffda15d5810 6 bytes {JMP QWORD [RIP+0x35a820]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffda15d5fa1 5 bytes {JMP QWORD [RIP+0x23a090]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffda15d6350 6 bytes {JMP QWORD [RIP+0x2d9ce0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffda15d6670 5 bytes [FF, 25, C0, 99, 27] .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffda15da990 6 bytes {JMP QWORD [RIP+0x3356a0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffda15dac40 6 bytes {JMP QWORD [RIP+0x2953f0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffda15dae80 6 bytes {JMP QWORD [RIP+0x3951b0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffda15daf40 6 bytes {JMP QWORD [RIP+0x3750f0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffda15db9a0 6 bytes {JMP QWORD [RIP+0x314690]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffda15f5650 6 bytes {JMP QWORD [RIP+0x23a9e0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffda15f5881 5 bytes {JMP QWORD [RIP+0x29a7b0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x313410]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x2e0850]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xe1ee60]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0xdfee10]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0xd7ee00]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0xd5edf0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xe3eb50]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xe5eb00]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xe9e3a0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0xdde380]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffd9f081e30 6 bytes {JMP QWORD [RIP+0x9fe200]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0xbbcc40]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0xbfca90]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0xc7bd20]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffd9f0851d0 6 bytes {JMP QWORD [RIP+0x50ae60]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xedab50]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0xc3a910]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffd9f085a50 6 bytes {JMP QWORD [RIP+0x3ea5e0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0xcb9d80]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0xb19ca0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffd9f086d90 6 bytes {JMP QWORD [RIP+0x5492a0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffd9f087430 6 bytes {JMP QWORD [RIP+0x228c00]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffd9f087f30 6 bytes {JMP QWORD [RIP+0x488100]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffd9f088101 5 bytes {JMP QWORD [RIP+0x4c7f30]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffd9f088e00 6 bytes {JMP QWORD [RIP+0x1c7230]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffd9f089140 6 bytes {JMP QWORD [RIP+0x896ef0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0xb76c60]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x9d6130]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffd9f08a490 6 bytes {JMP QWORD [RIP+0x855ba0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffd9f08ab30 6 bytes {JMP QWORD [RIP+0x565500]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffd9f08ae70 6 bytes {JMP QWORD [RIP+0x4651c0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [CF, 00] .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffd9f08bd60 6 bytes {JMP QWORD [RIP+0x2642d0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0xd902b0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffd9f090e60 6 bytes {JMP QWORD [RIP+0x80f1d0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xeac8f0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, B4] .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xeeba20]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffd9f0946a0 6 bytes {JMP QWORD [RIP+0x86b990]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0xdab4b0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0xb28f30]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffd9f0a39a0 6 bytes {JMP QWORD [RIP+0x58c690]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffd9f0a3ab0 6 bytes {JMP QWORD [RIP+0x56c580]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0xbbaa80]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffd9f0a58a0 6 bytes {JMP QWORD [RIP+0x89a790]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0xb7a710]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffd9f0a5ba0 6 bytes {JMP QWORD [RIP+0x77a490]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0xbf9ea0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffd9f0a62d0 6 bytes {JMP QWORD [RIP+0x229d60]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffd9f0a7160 6 bytes {JMP QWORD [RIP+0x7b8ed0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffd9f0a7690 6 bytes {JMP QWORD [RIP+0x7d89a0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffd9f0a7bf1 5 bytes {JMP QWORD [RIP+0x4c8440]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffd9f0a7c20 6 bytes {JMP QWORD [RIP+0x488410]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffd9f0b3fa0 6 bytes {JMP QWORD [RIP+0x4fc090]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xeebb10]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0xd09bb0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffd9f0b66f0 6 bytes {JMP QWORD [RIP+0xa09940]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffd9f0b77a0 6 bytes {JMP QWORD [RIP+0x748890]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffd9f0b7820 6 bytes {JMP QWORD [RIP+0xa68810]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffd9f0b7bf0 6 bytes {JMP QWORD [RIP+0x5b8440]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0xca3a10]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xe41080]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0xc20a30]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0xa9f0d0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffd9f0e3440 6 bytes {JMP QWORD [RIP+0x9fcbf0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffd9f0e3470 6 bytes {JMP QWORD [RIP+0x56cbc0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffd9f0e3660 6 bytes {JMP QWORD [RIP+0xa5c9d0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffd9f0e3690 6 bytes {JMP QWORD [RIP+0x6fc9a0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x936a10]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffd9f10ec00 5 bytes [FF, 25, 30, 14, 73] .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffd9f110ef0 6 bytes {JMP QWORD [RIP+0x1ff140]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0xc8f100]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffd9f111470 6 bytes {JMP QWORD [RIP+0x7aebc0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0xc0e740]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffda11a13c0 6 bytes {JMP QWORD [RIP+0x34ec70]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffda11af5e0 6 bytes {JMP QWORD [RIP+0x280a50]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffda11af5f0 6 bytes {JMP QWORD [RIP+0x320a40]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffda11af650 6 bytes {JMP QWORD [RIP+0x2c09e0]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffda11e6c20 6 bytes {JMP QWORD [RIP+0x2c9410]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffda11e6e30 6 bytes {JMP QWORD [RIP+0x269200]} .text C:\WINDOWS\system32\svchost.exe[4216] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffda11f2350 6 bytes {JMP QWORD [RIP+0x29dce0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffd9f334260 6 bytes {JMP QWORD [RIP+0x19bdd0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffd9f3423c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffd9f343390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd9eba8d80 6 bytes {JMP QWORD [RIP+0xdb72b0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, DC] .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0xde6ce0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0xe25b10]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0xde4080]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffda15d48f0 6 bytes {JMP QWORD [RIP+0x2fb740]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffda15d5810 6 bytes {JMP QWORD [RIP+0x35a820]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffda15d5fa1 5 bytes {JMP QWORD [RIP+0x23a090]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffda15d6350 6 bytes {JMP QWORD [RIP+0x2d9ce0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffda15d6670 5 bytes [FF, 25, C0, 99, 27] .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffda15da990 6 bytes {JMP QWORD [RIP+0x3356a0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffda15dac40 6 bytes {JMP QWORD [RIP+0x2953f0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffda15dae80 6 bytes {JMP QWORD [RIP+0x3951b0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffda15daf40 6 bytes {JMP QWORD [RIP+0x3750f0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffda15db9a0 6 bytes {JMP QWORD [RIP+0x314690]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffda15f5650 6 bytes {JMP QWORD [RIP+0x23a9e0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffda15f5881 5 bytes {JMP QWORD [RIP+0x29a7b0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x313410]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x2e0850]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xe1ee60]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0xdfee10]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0xd7ee00]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0xd5edf0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xe3eb50]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xe5eb00]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xe9e3a0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0xdde380]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffd9f081e30 6 bytes {JMP QWORD [RIP+0x9fe200]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0xbbcc40]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0xbfca90]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0xc7bd20]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffd9f0851d0 6 bytes {JMP QWORD [RIP+0x50ae60]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xedab50]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0xc3a910]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffd9f085a50 6 bytes {JMP QWORD [RIP+0x3ea5e0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0xcb9d80]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0xb19ca0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffd9f086d90 6 bytes {JMP QWORD [RIP+0x5492a0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffd9f087430 6 bytes {JMP QWORD [RIP+0x228c00]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffd9f087f30 6 bytes {JMP QWORD [RIP+0x488100]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffd9f088101 5 bytes {JMP QWORD [RIP+0x4c7f30]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffd9f088e00 6 bytes {JMP QWORD [RIP+0x1c7230]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffd9f089140 6 bytes {JMP QWORD [RIP+0x896ef0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0xb76c60]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x9d6130]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffd9f08a490 6 bytes {JMP QWORD [RIP+0x855ba0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffd9f08ab30 6 bytes {JMP QWORD [RIP+0x565500]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffd9f08ae70 6 bytes {JMP QWORD [RIP+0x4651c0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [CF, 00] .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffd9f08bd60 6 bytes {JMP QWORD [RIP+0x2642d0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0xd902b0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffd9f090e60 6 bytes {JMP QWORD [RIP+0x80f1d0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xeac8f0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, B4] .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xeeba20]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffd9f0946a0 6 bytes {JMP QWORD [RIP+0x86b990]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0xdab4b0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0xb28f30]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffd9f0a39a0 6 bytes {JMP QWORD [RIP+0x58c690]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffd9f0a3ab0 6 bytes {JMP QWORD [RIP+0x56c580]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0xbbaa80]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffd9f0a58a0 6 bytes {JMP QWORD [RIP+0x89a790]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0xb7a710]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffd9f0a5ba0 6 bytes {JMP QWORD [RIP+0x77a490]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0xbf9ea0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffd9f0a62d0 6 bytes {JMP QWORD [RIP+0x229d60]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffd9f0a7160 6 bytes {JMP QWORD [RIP+0x7b8ed0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffd9f0a7690 6 bytes {JMP QWORD [RIP+0x7d89a0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffd9f0a7bf1 5 bytes {JMP QWORD [RIP+0x4c8440]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffd9f0a7c20 6 bytes {JMP QWORD [RIP+0x488410]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffd9f0b3fa0 6 bytes {JMP QWORD [RIP+0x4fc090]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xeebb10]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0xd09bb0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffd9f0b66f0 6 bytes {JMP QWORD [RIP+0xa09940]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffd9f0b77a0 6 bytes {JMP QWORD [RIP+0x748890]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffd9f0b7820 6 bytes {JMP QWORD [RIP+0xa68810]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffd9f0b7bf0 6 bytes {JMP QWORD [RIP+0x5b8440]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0xca3a10]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xe41080]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0xc20a30]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0xa9f0d0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffd9f0e3440 6 bytes {JMP QWORD [RIP+0x9fcbf0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffd9f0e3470 6 bytes {JMP QWORD [RIP+0x56cbc0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffd9f0e3660 6 bytes {JMP QWORD [RIP+0xa5c9d0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffd9f0e3690 6 bytes {JMP QWORD [RIP+0x6fc9a0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x936a10]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffd9f10ec00 5 bytes [FF, 25, 30, 14, 73] .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffd9f110ef0 6 bytes {JMP QWORD [RIP+0x1ff140]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0xc8f100]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffd9f111470 6 bytes {JMP QWORD [RIP+0x7aebc0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0xc0e740]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffda11a13c0 6 bytes {JMP QWORD [RIP+0x34ec70]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffda11af5e0 6 bytes {JMP QWORD [RIP+0x280a50]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffda11af5f0 6 bytes {JMP QWORD [RIP+0x320a40]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffda11af650 6 bytes {JMP QWORD [RIP+0x2c09e0]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffda11e6c20 6 bytes {JMP QWORD [RIP+0x2c9410]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffda11e6e30 6 bytes {JMP QWORD [RIP+0x269200]} .text C:\WINDOWS\system32\svchost.exe[5488] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffda11f2350 6 bytes {JMP QWORD [RIP+0x29dce0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffd9f334260 6 bytes {JMP QWORD [RIP+0x19bdd0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffd9f3423c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffd9f343390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!CheckTokenMembership + 1 00007ffd9eba45f1 5 bytes {JMP QWORD [RIP+0x70ba40]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd9eba8d80 6 bytes {JMP QWORD [RIP+0xdd72b0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, DE] .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0xe06ce0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0xe45b10]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0xe04080]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffda15d48f0 6 bytes {JMP QWORD [RIP+0x2fb740]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffda15d5810 6 bytes {JMP QWORD [RIP+0x35a820]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffda15d5fa1 5 bytes {JMP QWORD [RIP+0x23a090]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffda15d6350 6 bytes {JMP QWORD [RIP+0x2d9ce0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffda15d6670 5 bytes [FF, 25, C0, 99, 27] .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffda15da990 6 bytes {JMP QWORD [RIP+0x3356a0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffda15dac40 6 bytes {JMP QWORD [RIP+0x2953f0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffda15dae80 6 bytes {JMP QWORD [RIP+0x3951b0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffda15daf40 6 bytes {JMP QWORD [RIP+0x3750f0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffda15db9a0 6 bytes {JMP QWORD [RIP+0x314690]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffda15f5650 6 bytes {JMP QWORD [RIP+0x23a9e0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffda15f5881 5 bytes {JMP QWORD [RIP+0x29a7b0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd9f6bcc20 6 bytes {JMP QWORD [RIP+0x333410]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd9f6cf7e0 6 bytes {JMP QWORD [RIP+0x300850]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xe3ee60]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0xe1ee10]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0xd9ee00]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0xd7edf0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xe5eb50]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xe7eb00]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xebe3a0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0xdfe380]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffd9f081e30 6 bytes {JMP QWORD [RIP+0xa1e200]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0xbdcc40]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0xc1ca90]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0xc9bd20]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffd9f0851d0 6 bytes {JMP QWORD [RIP+0x52ae60]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xefab50]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0xc5a910]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffd9f085a50 6 bytes {JMP QWORD [RIP+0x46a5e0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0xcd9d80]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0xb39ca0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffd9f086d90 6 bytes {JMP QWORD [RIP+0x5692a0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffd9f087430 6 bytes {JMP QWORD [RIP+0x248c00]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffd9f087f30 6 bytes {JMP QWORD [RIP+0x4a8100]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffd9f088101 5 bytes {JMP QWORD [RIP+0x4e7f30]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffd9f088e00 6 bytes {JMP QWORD [RIP+0x1c7230]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffd9f089140 6 bytes {JMP QWORD [RIP+0x8b6ef0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0xb96c60]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x9f6130]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffd9f08a490 6 bytes {JMP QWORD [RIP+0x875ba0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffd9f08ab30 6 bytes {JMP QWORD [RIP+0x585500]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffd9f08ae70 6 bytes {JMP QWORD [RIP+0x4851c0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [D1, 00] .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffd9f08bd60 6 bytes {JMP QWORD [RIP+0x2842d0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0xdb02b0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffd9f090e60 6 bytes {JMP QWORD [RIP+0x82f1d0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xecc8f0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, B6] .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xf0ba20]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffd9f0946a0 6 bytes {JMP QWORD [RIP+0x88b990]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0xdcb4b0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0xb48f30]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffd9f0a39a0 6 bytes {JMP QWORD [RIP+0x5ac690]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffd9f0a3ab0 6 bytes {JMP QWORD [RIP+0x58c580]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0xbdaa80]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffd9f0a58a0 6 bytes {JMP QWORD [RIP+0x8ba790]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0xb9a710]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffd9f0a5ba0 6 bytes {JMP QWORD [RIP+0x79a490]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0xc19ea0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffd9f0a62d0 6 bytes {JMP QWORD [RIP+0x249d60]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffd9f0a7160 6 bytes {JMP QWORD [RIP+0x7d8ed0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffd9f0a7690 6 bytes {JMP QWORD [RIP+0x7f89a0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffd9f0a7bf1 5 bytes {JMP QWORD [RIP+0x4e8440]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffd9f0a7c20 6 bytes {JMP QWORD [RIP+0x4a8410]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffd9f0b3fa0 6 bytes {JMP QWORD [RIP+0x51c090]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xf0bb10]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0xd29bb0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffd9f0b66f0 6 bytes {JMP QWORD [RIP+0xa29940]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffd9f0b77a0 6 bytes {JMP QWORD [RIP+0x768890]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffd9f0b7820 6 bytes {JMP QWORD [RIP+0xa88810]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffd9f0b7bf0 6 bytes {JMP QWORD [RIP+0x728440]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0xcc3a10]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xe61080]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0xc40a30]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0xabf0d0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffd9f0e3440 6 bytes {JMP QWORD [RIP+0xa1cbf0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffd9f0e3470 6 bytes {JMP QWORD [RIP+0x58cbc0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffd9f0e3660 6 bytes {JMP QWORD [RIP+0xa7c9d0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffd9f0e3690 6 bytes {JMP QWORD [RIP+0x71c9a0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x956a10]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffd9f10ec00 5 bytes [FF, 25, 30, 14, 75] .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffd9f110ef0 6 bytes {JMP QWORD [RIP+0x35f140]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0xcaf100]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffd9f111470 6 bytes {JMP QWORD [RIP+0x7cebc0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0xc2e740]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffda11a13c0 6 bytes {JMP QWORD [RIP+0x34ec70]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffda11af5e0 6 bytes {JMP QWORD [RIP+0x280a50]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffda11af5f0 6 bytes {JMP QWORD [RIP+0x320a40]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffda11af650 6 bytes {JMP QWORD [RIP+0x2c09e0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffda11e6c20 6 bytes {JMP QWORD [RIP+0x2c9410]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffda11e6e30 6 bytes {JMP QWORD [RIP+0x269200]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffda11f2350 6 bytes {JMP QWORD [RIP+0x29dce0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffd9ecfd050 6 bytes {JMP QWORD [RIP+0x592fe0]} .text C:\WINDOWS\system32\svchost.exe[3812] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffd9ed21340 6 bytes {JMP QWORD [RIP+0x54ecf0]} .text C:\WINDOWS\system32\svchost.exe[3812] c:\windows\system32\wevtapi.dll!EvtClearLog 00007ffd9abb5d90 6 bytes {JMP QWORD [RIP+0x5a2a0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffd9f334260 6 bytes {JMP QWORD [RIP+0x19bdd0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffd9f3423c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffd9f343390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd9eba8d80 6 bytes {JMP QWORD [RIP+0xdb72b0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, DC] .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0xda6ce0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0xde5b10]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0xda4080]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffda15d48f0 6 bytes {JMP QWORD [RIP+0x2fb740]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffda15d5810 6 bytes {JMP QWORD [RIP+0x35a820]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffda15d5fa1 5 bytes {JMP QWORD [RIP+0x23a090]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffda15d6350 6 bytes {JMP QWORD [RIP+0x2d9ce0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffda15d6670 5 bytes [FF, 25, C0, 99, 27] .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffda15da990 6 bytes {JMP QWORD [RIP+0x3356a0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffda15dac40 6 bytes {JMP QWORD [RIP+0x2953f0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffda15dae80 6 bytes {JMP QWORD [RIP+0x3951b0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffda15daf40 6 bytes {JMP QWORD [RIP+0x3750f0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffda15db9a0 6 bytes {JMP QWORD [RIP+0x314690]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffda15f5650 6 bytes {JMP QWORD [RIP+0x23a9e0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffda15f5881 5 bytes {JMP QWORD [RIP+0x29a7b0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0xddee60]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0xdbee10]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0xd3ee00]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0xd1edf0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0xdfeb50]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0xe1eb00]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0xe5e3a0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0xd9e380]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffd9f081e30 6 bytes {JMP QWORD [RIP+0x9be200]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0xb7cc40]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0xbbca90]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0xc3bd20]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffd9f0851d0 6 bytes {JMP QWORD [RIP+0x50ae60]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0xe9ab50]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0xbfa910]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffd9f085a50 6 bytes {JMP QWORD [RIP+0x3ea5e0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0xc79d80]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0xad9ca0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffd9f086d90 6 bytes {JMP QWORD [RIP+0x5492a0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffd9f087430 6 bytes {JMP QWORD [RIP+0x228c00]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffd9f087f30 6 bytes {JMP QWORD [RIP+0x488100]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffd9f088101 5 bytes {JMP QWORD [RIP+0x4c7f30]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffd9f088e00 6 bytes {JMP QWORD [RIP+0x1c7230]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffd9f089140 6 bytes {JMP QWORD [RIP+0x896ef0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0xb36c60]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x996130]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffd9f08a490 6 bytes {JMP QWORD [RIP+0x855ba0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffd9f08ab30 6 bytes {JMP QWORD [RIP+0x565500]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffd9f08ae70 6 bytes {JMP QWORD [RIP+0x4651c0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [CB, 00] .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffd9f08bd60 6 bytes {JMP QWORD [RIP+0x2642d0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0xd502b0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffd9f090e60 6 bytes {JMP QWORD [RIP+0x80f1d0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0xe6c8f0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, B0] .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0xeaba20]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffd9f0946a0 6 bytes {JMP QWORD [RIP+0x86b990]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0xd6b4b0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0xae8f30]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffd9f0a39a0 6 bytes {JMP QWORD [RIP+0x58c690]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffd9f0a3ab0 6 bytes {JMP QWORD [RIP+0x56c580]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0xb7aa80]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffd9f0a58a0 6 bytes {JMP QWORD [RIP+0x89a790]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0xb3a710]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffd9f0a5ba0 6 bytes {JMP QWORD [RIP+0x77a490]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0xbb9ea0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffd9f0a62d0 6 bytes {JMP QWORD [RIP+0x229d60]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffd9f0a7160 6 bytes {JMP QWORD [RIP+0x7b8ed0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffd9f0a7690 6 bytes {JMP QWORD [RIP+0x7d89a0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffd9f0a7bf1 5 bytes {JMP QWORD [RIP+0x4c8440]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffd9f0a7c20 6 bytes {JMP QWORD [RIP+0x488410]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffd9f0b3fa0 6 bytes {JMP QWORD [RIP+0x4fc090]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0xeabb10]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0xcc9bb0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffd9f0b66f0 6 bytes {JMP QWORD [RIP+0x9c9940]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffd9f0b77a0 6 bytes {JMP QWORD [RIP+0x748890]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffd9f0b7820 6 bytes {JMP QWORD [RIP+0xa28810]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffd9f0b7bf0 6 bytes {JMP QWORD [RIP+0x5b8440]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0xc63a10]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0xe01080]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0xbe0a30]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0xa5f0d0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffd9f0e3440 6 bytes {JMP QWORD [RIP+0x9bcbf0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffd9f0e3470 6 bytes {JMP QWORD [RIP+0x56cbc0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffd9f0e3660 6 bytes {JMP QWORD [RIP+0xa1c9d0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffd9f0e3690 6 bytes {JMP QWORD [RIP+0x6fc9a0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x8f6a10]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffd9f10ec00 5 bytes [FF, 25, 30, 14, 73] .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffd9f110ef0 6 bytes {JMP QWORD [RIP+0x1ff140]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0xc4f100]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffd9f111470 6 bytes {JMP QWORD [RIP+0x7aebc0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0xbce740]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffda11a13c0 6 bytes {JMP QWORD [RIP+0x34ec70]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffda11af5e0 6 bytes {JMP QWORD [RIP+0x280a50]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffda11af5f0 6 bytes {JMP QWORD [RIP+0x320a40]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffda11af650 6 bytes {JMP QWORD [RIP+0x2c09e0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffda11e6c20 6 bytes {JMP QWORD [RIP+0x2c9410]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffda11e6e30 6 bytes {JMP QWORD [RIP+0x269200]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffda11f2350 6 bytes {JMP QWORD [RIP+0x29dce0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffd9ecfd050 6 bytes {JMP QWORD [RIP+0x592fe0]} .text C:\WINDOWS\system32\svchost.exe[2868] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffd9ed21340 6 bytes {JMP QWORD [RIP+0x54ecf0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8be3a0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x8fab50]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8cc8f0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x90ba20]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x90bb10]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x861080]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\svchost.exe[3644] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 66] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 6A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x686ce0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6c5b10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x684080]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x97ee60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x95ee10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes {JMP QWORD [RIP+0x8dee00]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x8bedf0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x99eb50]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x9beb00]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x1f1e3a0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x93e380]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x4fcc40]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x53ca90]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x5bbd20]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x1f5ab50]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x57a910]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5f9d80]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x459ca0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x4b6c60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x416130]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [78, 00] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x8f02b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x1f2c8f0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 48] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x1f6ba20]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x90b4b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x468f30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x4faa80]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x4ba710]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x539ea0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x1f6bb10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x869bb0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x733a10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x9a1080]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x560a30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x3df0d0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x376a10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x71f100]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x54e740]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x83ee60]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes {JMP QWORD [RIP+0x81ee10]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 4 bytes [FF, 25, 00, EE] .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!GetKeyboardState + 5 00007ffd9f081235 1 byte [00] .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x77edf0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x85eb50]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x87eb00]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x8de3a0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes {JMP QWORD [RIP+0x7fe380]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes {JMP QWORD [RIP+0x48cc40]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x4cca90]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x54bd20]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x91ab50]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x50a910]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x589d80]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes {JMP QWORD [RIP+0x446c60]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [5C, 00] .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes {JMP QWORD [RIP+0x7b02b0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x8ec8f0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x92ba20]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes {JMP QWORD [RIP+0x7cb4b0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes {JMP QWORD [RIP+0x48aa80]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes {JMP QWORD [RIP+0x44a710]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x4c9ea0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x92bb10]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x729bb0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x573a10]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x881080]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x4f0a30]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes {JMP QWORD [RIP+0x55f100]} .text C:\WINDOWS\system32\rundll32.exe[1880] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x4de740]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd9eba8e46 3 bytes [C4, 71, 65] .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd9ebb8ca0 5 bytes [FF, 25, 90, 73, 69] .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd9ebbef70 5 bytes JMP 00007ffe9eb900d8 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd9ebf9351 5 bytes {JMP QWORD [RIP+0x676ce0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffd9ebfa520 6 bytes {JMP QWORD [RIP+0x6b5b10]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffd9ec1bfb0 6 bytes {JMP QWORD [RIP+0x674080]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffd9f0811d0 6 bytes {JMP QWORD [RIP+0x94ee60]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffd9f081220 6 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffd9f081230 6 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffd9f081240 6 bytes {JMP QWORD [RIP+0x7bedf0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffd9f0814e0 6 bytes {JMP QWORD [RIP+0x96eb50]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffd9f081530 6 bytes {JMP QWORD [RIP+0x98eb00]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffd9f081c90 6 bytes {JMP QWORD [RIP+0x9ce3a0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffd9f081cb0 6 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffd9f0833f0 6 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffd9f0835a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd9f084311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffd9f0854e0 6 bytes {JMP QWORD [RIP+0x24bab50]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffd9f085720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffd9f0862b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffd9f086390 6 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffd9f0893d0 6 bytes JMP 6c0070 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffd9f089f00 6 bytes {JMP QWORD [RIP+0x266130]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffd9f08b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffd9f08b7f4 2 bytes [75, 00] .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffd9f08fd81 5 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffd9f093740 6 bytes {JMP QWORD [RIP+0x221c8f0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffd9f093c60 5 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffd9f094610 6 bytes {JMP QWORD [RIP+0x24cba20]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffd9f094b80 6 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffd9f097101 5 bytes JMP 6e0069 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffd9f0a55b0 6 bytes JMP 0 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffd9f0a5920 6 bytes JMP 73005c .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffd9f0a6190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffd9f0b4520 6 bytes {JMP QWORD [RIP+0x24cbb10]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffd9f0b6480 6 bytes {JMP QWORD [RIP+0x769bb0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffd9f0bc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffd9f0befb0 6 bytes {JMP QWORD [RIP+0x971080]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffd9f0bf600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffd9f0e0f60 6 bytes {JMP QWORD [RIP+0x22f0d0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffd9f109620 6 bytes {JMP QWORD [RIP+0x1c6a10]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffd9f110f30 6 bytes JMP bd4 .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffd9f1118f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffda12d3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffda12e11d0 6 bytes {JMP QWORD [RIP+0x17ee60]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffda12e1340 6 bytes {JMP QWORD [RIP+0x15ecf0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffda12f7c20 6 bytes {JMP QWORD [RIP+0x1f8410]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffda12f8180 6 bytes {JMP QWORD [RIP+0x237eb0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffda12f8290 6 bytes {JMP QWORD [RIP+0x187da0]} .text C:\WINDOWS\explorer.exe[6588] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffda1353ea0 6 bytes {JMP QWORD [RIP+0x1bc190]} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[732] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\services.exe[732] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\services.exe[732] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\lsass.exe[740] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\lsass.exe[740] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\lsass.exe[740] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[852] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[852] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[852] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\dwm.exe[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\uDWM.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dwm.exe[992] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1012] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1012] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1012] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atiesrxx.exe[416] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atiesrxx.exe[416] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atiesrxx.exe[416] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atiesrxx.exe[416] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[444] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[444] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[444] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[444] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1044] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1084] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1084] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1084] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atieclxx.exe[1092] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atieclxx.exe[1092] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atieclxx.exe[1092] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atieclxx.exe[1092] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atieclxx.exe[1092] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atieclxx.exe[1092] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\atieclxx.exe[1092] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1128] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1128] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1128] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1128] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1128] @ C:\WINDOWS\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\System32\localspl.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\System32\PrintIsolationProxy.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\system32\spool\PRTPROCS\x64\winprint.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\system32\spool\drivers\x64\3\PrintConfig.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\SYSTEM32\prntvpt.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\spoolsv.exe[1452] @ C:\WINDOWS\System32\DriverStore\FileRepository\prnms003.inf_amd64_b7ddbc212b0e0bcd\Amd64\PrintConfig.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1520] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1520] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1520] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[1520] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[1652] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1672] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\comctl32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\CxAudMsg64.exe[1912] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\CxAudMsg64.exe[1912] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\CxAudMsg64.exe[1912] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\CxAudMsg64.exe[1912] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1968] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1968] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[1968] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dashost.exe[1988] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dashost.exe[1988] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dashost.exe[1988] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\dashost.exe[1988] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDService.exe[2024] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDService.exe[2024] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDService.exe[2024] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Jumpstart\jswpbapi.exe[972] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\LenovoWiFiHotspotSvr.exe[1812] @ C:\WINDOWS\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2152] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[2284] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[2284] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[2284] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[2284] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[2284] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2400] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2904] @ C:\WINDOWS\SYSTEM32\riched20.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\taskhostex.exe[3012] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\Comctl32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\twinui.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\OPENGL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\DDRAW.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\authui.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\WSShared.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\fontext.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\system32\DeviceCenter.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\WINDOWS\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\Explorer.EXE[3028] @ C:\Windows\System32\gameux.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[1760] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3156] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3156] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3156] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3408] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3408] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3408] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\alg.exe[3508] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\alg.exe[3508] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\alg.exe[3508] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\alg.exe[3508] @ C:\WINDOWS\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[3748] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[3748] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\svchost.exe[3748] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[4064] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3152] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Elantech\ETDIntelligent.exe[3092] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\SettingSyncHost.exe[3472] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\SettingSyncHost.exe[3472] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\SettingSyncHost.exe[3472] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\SettingSyncHost.exe[3472] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3196] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3196] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3196] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3196] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\DllHost.exe[240] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\DllHost.exe[240] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\DllHost.exe[240] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\Windows\System32\skydrive.exe[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\Windows\System32\DUI70.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\System32\skydrive.exe[4420] @ C:\Windows\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\comctl32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\SYSTEM32\mfc100u.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5336] @ C:\WINDOWS\SYSTEM32\mfc100.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5344] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\comctl32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5364] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[5408] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\SYSTEM32\oledlg.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Windows\RTFTrack.exe[5420] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\Program Files (x86)\Lenovo\Energy Manager\mfc110u.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[5460] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\SYSTEM32\oledlg.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[5492] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\Program Files\K2T\WTW\mfc120u.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\comdlg32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\Program Files\K2T\WTW\libLexer.module[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\DUser.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\K2T\WTW\wtw.exe[6036] @ C:\WINDOWS\system32\DUI70.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[5160] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[5160] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[5160] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\System32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\System32\DUI70.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\WINDOWS\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\System32\Taskmgr.exe[3596] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[1536] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[1536] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[1536] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[4216] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[4216] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[4216] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[5488] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[5488] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[5488] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[3812] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[3812] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[3812] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[2868] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[2868] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[2868] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1500000] IAT C:\WINDOWS\system32\svchost.exe[3644] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3644] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\svchost.exe[3644] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[7152] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\rundll32.exe[1880] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\rundll32.exe[1880] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\rundll32.exe[1880] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\system32\rundll32.exe[1880] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\explorer.exe[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\DUser.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\DUI70.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\comctl32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\UIRibbon.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\system32\syncui.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\SYSTEM32\mfc100u.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\SYSTEM32\OPENGL32.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\SYSTEM32\DDRAW.dll[GDI32.dll!DeleteDC] [7ffda1420000] IAT C:\WINDOWS\explorer.exe[6588] @ C:\WINDOWS\SYSTEM32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ffda1420000] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [636:664] fffff960009342d0 Thread C:\WINDOWS\system32\svchost.exe [1044:4640] 00007ffd8c7c1050 Thread C:\Windows\System32\SettingSyncHost.exe [3472:4304] 00007ffd8e777090 ---- Processes - GMER 2.1 ---- Library c:\users\ikar\appdata\local\temp\7zs0c9b\hpslpsvc64.dll (*** suspicious ***) @ C:\WINDOWS\system32\svchost.exe [3644] (HP Network Devices Support/Hewlett-Packard Co.)(2015-07-01 07:56:23) 0000000180000000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----