GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-07 16:55:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e HGST_HTS545050A7E380 rev.GG2OAC90 465,76GB Running: w4s6rwzb.exe; Driver: C:\Users\Admi\AppData\Local\Temp\pxldapow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960000cc300 15 bytes [00, 0B, F2, 01, 00, 06, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff960000cc310 8 bytes [00, D7, FB, FF, 00, D3, CD, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffab7c0cc20 6 bytes {JMP QWORD [RIP+0x363410]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffab7c1f7e0 6 bytes {JMP QWORD [RIP+0x330850]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\services.exe[720] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffab7c0cc20 6 bytes {JMP QWORD [RIP+0x363410]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffab7c1f7e0 6 bytes {JMP QWORD [RIP+0x330850]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffab7c0cc20 6 bytes {JMP QWORD [RIP+0x363410]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffab7c1f7e0 6 bytes {JMP QWORD [RIP+0x330850]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[876] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffab6f93e10 7 bytes JMP 00007ffbb5270260 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffab6f93e20 7 bytes JMP 00007ffbb5270298 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffab70439b0 7 bytes JMP 00007ffbb5270340 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffab7043ef0 7 bytes JMP 00007ffbb52702d0 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffab7043fe0 7 bytes JMP 00007ffbb5270308 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffab70706c0 7 bytes JMP 00007ffbb52701f0 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffab7070730 7 bytes JMP 00007ffbb5270228 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffab52921d0 5 bytes JMP 00007ffbb5270180 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffab52929d0 7 bytes JMP 00007ffbb52700d8 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffab5294310 5 bytes JMP 00007ffbb5270110 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffab5298900 5 bytes JMP 00007ffbb5270148 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffab530f050 5 bytes JMP 00007ffbb52701b8 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xb7eb50]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xb9eb00]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x118e3a0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x82ca90]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x8abd20]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x11cab50]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x86a910]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffab6e16d90 1 byte JMP 00007ffbb5270420 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 2 00007ffab6e16d92 8 bytes {JMP 0xfffffffffe459690} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [A3, 00] .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x119c8f0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x11dba20]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffab6e274a0 5 bytes JMP 00007ffbb52703e8 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffab6e27560 9 bytes JMP 00007ffbb5270378 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffab6e27730 5 bytes JMP 00007ffbb5270458 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x7eaa80]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x829ea0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffab6e36b10 5 bytes JMP 00007ffbb52703b0 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x11dbb10]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x1131080]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x850a30]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x83e740]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffab79c1500 1 byte JMP 00007ffbb5270490 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffab79c1502 6 bytes {JMP 0xfffffffffd8aef90} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffab79c1750 8 bytes JMP 00007ffbb52704c8 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffab79c3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffab79d11a0 6 bytes {JMP QWORD [RIP+0x17ee90]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffab79d1310 6 bytes {JMP QWORD [RIP+0x15ed20]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffab79e7a40 6 bytes {JMP QWORD [RIP+0x4f85f0]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffab79e7fa0 6 bytes {JMP QWORD [RIP+0x588090]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffab79e80b0 6 bytes {JMP QWORD [RIP+0x187f80]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffab7a38500 6 bytes {JMP QWORD [RIP+0x517b30]} .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffab55dd050 7 bytes JMP 00007ffbb5270500 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffab560b170 5 bytes JMP 00007ffbb5270538 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffab20f7750 5 bytes JMP 00007ffbb20e00d8 .text C:\WINDOWS\system32\dwm.exe[956] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffab20f8ee0 5 bytes JMP 00007ffbb20e0110 .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[1020] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\System32\svchost.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\System32\svchost.exe[428] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffab7c0cc20 6 bytes {JMP QWORD [RIP+0x363410]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffab7c1f7e0 6 bytes {JMP QWORD [RIP+0x330850]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[416] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[784] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\System32\spoolsv.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffab7c0cc20 6 bytes {JMP QWORD [RIP+0x363410]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffab7c1f7e0 6 bytes {JMP QWORD [RIP+0x330850]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[1280] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\System32\svchost.exe[1520] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\Program Files\Elantech\ETDService.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52300d8 .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\dashost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[1744] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[1544] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x9fee60]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x8cee10]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0x84ee00]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0x82edf0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xa1eb50]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xa3eb00]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0xa7e3a0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x8ae380]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x6cca90]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x74bd20]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0xabab50]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x70a910]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x789d80]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [7C, 00] .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0x8602b0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0xa8c8f0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0xacba20]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x87b4b0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x68aa80]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x6c9ea0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0xacbb10]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0x7d9bb0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x773a10]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0xa21080]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x6f0a30]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x75f100]} .text C:\WINDOWS\system32\svchost.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x6de740]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 52] .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52300d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 55] .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x1ab6ab0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1af58e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1ab40e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x129ee60]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x127ee10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xb7ee00]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xb5edf0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0x12beb50]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0x12deb00]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x131e3a0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x125e380]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x8acc40]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x9fca90]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0xa7bd20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x135ab50]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0xa3a910]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0xab9d80]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x809ca0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x866c60]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x666130]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [AF, 00] .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xb902b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x132c8f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 83] .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x136ba20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x122b4b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x818f30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x8aaa80]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x86a710]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x9f9ea0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x136bb10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xb09bb0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0xaa3a10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x12c1080]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0xa20a30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x62f0d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x5c6a10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0xa8f100]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0xa0e740]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffab79c3e80 6 bytes {JMP QWORD [RIP+0x61c1b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffab79d11a0 6 bytes {JMP QWORD [RIP+0x59ee90]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffab79d1310 6 bytes {JMP QWORD [RIP+0x57ed20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffab79e7a40 6 bytes {JMP QWORD [RIP+0x6185f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffab79e7fa0 6 bytes {JMP QWORD [RIP+0x658090]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffab79e80b0 6 bytes {JMP QWORD [RIP+0x5a7f80]} .text C:\Program Files\Elantech\ETDCtrl.exe[2056] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffab7a38500 6 bytes {JMP QWORD [RIP+0x5e7b30]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xb7eb50]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xb9eb00]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x125e3a0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x82ca90]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x8abd20]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x129ab50]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x86a910]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [A3, 00] .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x126c8f0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x12aba20]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x7eaa80]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x829ea0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x12abb10]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x1201080]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x850a30]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\WINDOWS\system32\taskhostex.exe[2140] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x83e740]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes JMP b3b34f8f .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes JMP 2dc9 .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes JMP 7200e1 .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x125e3a0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes JMP f2101010 .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x8abd20]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x129ab50]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x86a910]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [A3, 00] .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x126c8f0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x12aba20]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x7eaa80]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes JMP fddddddd .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x12abb10]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x1201080]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x850a30]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes JMP f2101010 .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffab79c3e80 6 bytes {JMP QWORD [RIP+0x61c1b0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffab79d11a0 6 bytes {JMP QWORD [RIP+0x59ee90]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffab79d1310 6 bytes {JMP QWORD [RIP+0x57ed20]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffab79e7a40 6 bytes {JMP QWORD [RIP+0x6185f0]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffab79e7fa0 6 bytes {JMP QWORD [RIP+0x658090]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffab79e80b0 6 bytes {JMP QWORD [RIP+0x5a7f80]} .text C:\WINDOWS\Explorer.EXE[2724] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffab7a38500 6 bytes {JMP QWORD [RIP+0x5e7b30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52300d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x129ee60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x127ee10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xb7ee00]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xb5edf0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0x12beb50]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0x12deb00]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x131e3a0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x8acc40]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x9fca90]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0xa7bd20]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x135ab50]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0xa3a910]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0xab9d80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x809ca0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x866c60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x666130]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [AF, 00] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xb902b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x132c8f0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 83] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x136ba20]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x122b4b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x818f30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x8aaa80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x86a710]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x9f9ea0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x136bb10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xb09bb0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0xaa3a10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x12c1080]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0xa20a30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x62f0d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x5c6a10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0xa8f100]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0xa0e740]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffab79c3e80 6 bytes {JMP QWORD [RIP+0x61c1b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffab79d11a0 6 bytes {JMP QWORD [RIP+0x59ee90]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffab79d1310 6 bytes {JMP QWORD [RIP+0x57ed20]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffab79e7a40 6 bytes {JMP QWORD [RIP+0x6185f0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffab79e7fa0 6 bytes {JMP QWORD [RIP+0x658090]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffab79e80b0 6 bytes {JMP QWORD [RIP+0x5a7f80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffab7a38500 6 bytes {JMP QWORD [RIP+0x5e7b30]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52300d8 .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x129ee60]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x127ee10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xb7ee00]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xb5edf0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0x12beb50]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0x12deb00]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x131e3a0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x125e380]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x8acc40]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x9fca90]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0xa7bd20]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x135ab50]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0xa3a910]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0xab9d80]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x809ca0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x866c60]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x666130]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [AF, 00] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xb902b0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x132c8f0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 83] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x136ba20]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x122b4b0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x818f30]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x8aaa80]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x86a710]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x9f9ea0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x136bb10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xb09bb0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0xaa3a10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x12c1080]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0xa20a30]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x62f0d0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x5c6a10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0xa8f100]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0xa0e740]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xb7eb50]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xb9eb00]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x125e3a0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x82ca90]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x8abd20]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x129ab50]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x86a910]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [A3, 00] .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x126c8f0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x12aba20]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x7eaa80]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x829ea0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x12abb10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x1201080]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x850a30]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\WINDOWS\system32\SearchIndexer.exe[4048] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x83e740]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xb7eb50]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xb9eb00]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x125e3a0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x82ca90]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x8abd20]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x129ab50]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x86a910]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [A3, 00] .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x126c8f0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x12aba20]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x7eaa80]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x829ea0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x12abb10]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x1201080]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x850a30]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\Windows\System32\skydrive.exe[676] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x83e740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 52] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52300d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 55] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x1ab6ab0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1af58e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1ab40e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0x129ee60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0x127ee10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xb7ee00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xb5edf0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0x12beb50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0x12deb00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x131e3a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0x125e380]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x8acc40]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x9fca90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0xa7bd20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x135ab50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0xa3a910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0xab9d80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x809ca0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x866c60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x666130]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [AF, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xb902b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x132c8f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 83] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x136ba20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0x122b4b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x818f30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x8aaa80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x86a710]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x9f9ea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x136bb10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xb09bb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0xaa3a10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x12c1080]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0xa20a30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x62f0d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x5c6a10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0xa8f100]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0xa0e740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffab79c3e80 6 bytes {JMP QWORD [RIP+0x61c1b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffab79d11a0 6 bytes {JMP QWORD [RIP+0x59ee90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffab79d1310 6 bytes {JMP QWORD [RIP+0x57ed20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffab79e7a40 6 bytes {JMP QWORD [RIP+0x6185f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffab79e7fa0 6 bytes {JMP QWORD [RIP+0x658090]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffab79e80b0 6 bytes {JMP QWORD [RIP+0x5a7f80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffab7a38500 6 bytes {JMP QWORD [RIP+0x5e7b30]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xb7eb50]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xb9eb00]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x125e3a0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x82ca90]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x8abd20]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x129ab50]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x86a910]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes JMP 3a61b8 .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [A3, 00] .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x126c8f0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x12aba20]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x7eaa80]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x829ea0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x12abb10]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x1201080]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x850a30]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes JMP 306060 .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\Windows\System32\hkcmd.exe[3092] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x83e740]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffab52989c6 3 bytes [44, 76, 12] .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffab529f400 5 bytes JMP 00007ffbb52800d8 .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffab52b45e0 5 bytes [FF, 25, 50, BA, 15] .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffab52e9581 5 bytes {JMP QWORD [RIP+0x146ab0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffab52ea750 6 bytes {JMP QWORD [RIP+0x1858e0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffab530bf50 6 bytes {JMP QWORD [RIP+0x1440e0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffab6e111d0 6 bytes {JMP QWORD [RIP+0xb5ee60]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffab6e11220 6 bytes {JMP QWORD [RIP+0xb3ee10]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffab6e11230 6 bytes {JMP QWORD [RIP+0xabee00]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffab6e11240 6 bytes {JMP QWORD [RIP+0xa9edf0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffab6e114e0 6 bytes {JMP QWORD [RIP+0xb7eb50]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffab6e11530 6 bytes {JMP QWORD [RIP+0xb9eb00]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffab6e11c90 6 bytes {JMP QWORD [RIP+0x125e3a0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffab6e11cb0 6 bytes {JMP QWORD [RIP+0xb1e380]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffab6e133f0 6 bytes {JMP QWORD [RIP+0x68cc40]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffab6e135a0 6 bytes {JMP QWORD [RIP+0x82ca90]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffab6e14311 5 bytes {JMP QWORD [RIP+0x8abd20]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffab6e154e0 6 bytes {JMP QWORD [RIP+0x129ab50]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffab6e15720 6 bytes {JMP QWORD [RIP+0x86a910]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffab6e162b0 6 bytes {JMP QWORD [RIP+0x9f9d80]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffab6e16390 6 bytes {JMP QWORD [RIP+0x3e9ca0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffab6e193d0 6 bytes {JMP QWORD [RIP+0x646c60]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffab6e19f00 6 bytes {JMP QWORD [RIP+0x3a6130]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffab6e1b7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffab6e1b7f4 2 bytes [A3, 00] .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffab6e1fd81 5 bytes {JMP QWORD [RIP+0xad02b0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffab6e23740 6 bytes {JMP QWORD [RIP+0x126c8f0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffab6e23c60 5 bytes [FF, 25, D0, C3, 41] .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffab6e24610 6 bytes {JMP QWORD [RIP+0x12aba20]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffab6e24b80 6 bytes {JMP QWORD [RIP+0xaeb4b0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffab6e27101 5 bytes {JMP QWORD [RIP+0x3f8f30]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffab6e355b0 6 bytes {JMP QWORD [RIP+0x7eaa80]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffab6e35920 6 bytes {JMP QWORD [RIP+0x64a710]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffab6e36190 6 bytes {JMP QWORD [RIP+0x829ea0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffab6e44520 6 bytes {JMP QWORD [RIP+0x12abb10]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffab6e46480 6 bytes {JMP QWORD [RIP+0xa49bb0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffab6e4c620 6 bytes {JMP QWORD [RIP+0x9e3a10]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffab6e4efb0 6 bytes {JMP QWORD [RIP+0x1201080]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffab6e4f600 6 bytes {JMP QWORD [RIP+0x850a30]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffab6e70f60 6 bytes {JMP QWORD [RIP+0x36f0d0]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffab6e99620 6 bytes {JMP QWORD [RIP+0x306a10]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffab6ea0f30 6 bytes {JMP QWORD [RIP+0x9cf100]} .text C:\Windows\System32\SettingSyncHost.exe[4528] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffab6ea18f0 6 bytes {JMP QWORD [RIP+0x83e740]} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\lsass.exe[736] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\lsass.exe[736] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\lsass.exe[736] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[816] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[816] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[816] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[876] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[876] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[876] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\dwm.exe[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dwm.exe[956] @ C:\WINDOWS\system32\uDWM.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1020] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1020] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1020] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[304] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[304] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[304] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[428] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[428] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[428] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[428] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[428] @ C:\WINDOWS\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[416] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[416] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[416] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[416] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[416] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[784] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[784] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[784] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\WINDOWS\System32\localspl.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\WINDOWS\System32\PrintIsolationProxy.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\spoolsv.exe[1256] @ C:\WINDOWS\system32\spool\PRTPROCS\x64\winprint.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1280] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1280] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1280] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[1520] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[1520] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\System32\svchost.exe[1520] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\Program Files\Elantech\ETDService.exe[1556] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDService.exe[1556] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDService.exe[1556] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\dashost.exe[1564] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dashost.exe[1564] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\dashost.exe[1564] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1744] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1744] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1744] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1744] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1544] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1544] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[1544] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[2152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[2152] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\WINDOWS\system32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7b10000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrl.exe[2056] @ C:\WINDOWS\SYSTEM32\riched20.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\taskhostex.exe[2140] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\Comctl32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\twinui.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\SYSTEM32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\authui.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\WSShared.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\Windows\System32\ieframe.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\fontext.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\DeviceCenter.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\Explorer.EXE[2724] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[3412] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[3484] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4048] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4048] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4048] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4048] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4048] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\Windows\System32\skydrive.exe[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\Windows\System32\DUI70.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\skydrive.exe[676] @ C:\Windows\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\SYSTEM32\oledlg.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3804] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\hkcmd.exe[3092] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\hkcmd.exe[3092] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\hkcmd.exe[3092] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\hkcmd.exe[3092] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\hkcmd.exe[3092] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\hkcmd.exe[3092] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\hkcmd.exe[3092] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\SettingSyncHost.exe[4528] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\SettingSyncHost.exe[4528] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\SettingSyncHost.exe[4528] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\SettingSyncHost.exe[4528] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] IAT C:\Windows\System32\SettingSyncHost.exe[4528] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffab7ee0000] ---- Devices - GMER 2.1 ---- Device \Driver\NDProxy \Device\NDProxy fffff8010c005920 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [624:5036] fffff960008ca2d0 Thread C:\WINDOWS\system32\svchost.exe [416:5552] 00007ffaaa1d1050 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1608264541 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca97114f608 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca97114f608@68a0f606ab51 0x5E 0xE6 0xFC 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca97114f608@94d771125594 0x7F 0x2B 0x11 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?So?, ?lis ?07 ?15, 02:05:13??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5E 0x66 0x5C 0xA4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----