GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-05 18:03:39 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d TOSHIBA_MK3263GSX rev.FG020M 298,09GB Running: 3h72ybpd.exe; Driver: C:\Users\admin\AppData\Local\Temp\kfwdruob.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\services.exe[692] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffebd83ca30 6 bytes {JMP QWORD [RIP+0x153600]} .text C:\WINDOWS\system32\services.exe[692] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffebd8b0c60 6 bytes {JMP QWORD [RIP+0xbf3d0]} .text C:\WINDOWS\system32\svchost.exe[824] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffebd83ca30 6 bytes {JMP QWORD [RIP+0x153600]} .text C:\WINDOWS\system32\svchost.exe[824] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffebd8b0c60 6 bytes {JMP QWORD [RIP+0xbf3d0]} .text C:\WINDOWS\system32\svchost.exe[860] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffebd83ca30 6 bytes {JMP QWORD [RIP+0x153600]} .text C:\WINDOWS\system32\svchost.exe[860] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffebd8b0c60 6 bytes {JMP QWORD [RIP+0xbf3d0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffebd83ca30 6 bytes {JMP QWORD [RIP+0x153600]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffebd8b0c60 6 bytes {JMP QWORD [RIP+0xbf3d0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\WINDOWS\system32\svchost.exe[68] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffebe378ca0 6 bytes {JMP QWORD [RIP+0x217390]} .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffebe4152b0 5 bytes [FF, 25, 80, AD, 15] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffebe415450 5 bytes [FF, 25, E0, AB, 45] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffebe415650 5 bytes [FF, 25, E0, A9, 2F] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffebe415730 5 bytes [FF, 25, 00, A9, 3D] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffebe4157b0 5 bytes [FF, 25, 80, A8, 39] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffebe4158f0 5 bytes [FF, 25, 40, A7, 3F] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffebe4159d0 5 bytes [FF, 25, 60, A6, 1F] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffebe415a10 5 bytes [FF, 25, 20, A6, 37] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffebe415a90 5 bytes [FF, 25, A0, A5, 27] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffebe415b30 5 bytes [FF, 25, 00, A5, 29] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffebe415b70 5 bytes [FF, 25, C0, A4, 3B] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffebe415f60 5 bytes [FF, 25, D0, A0, 49] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffebe415fa0 5 bytes [FF, 25, 90, A0, 1B] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffebe4161c0 5 bytes [FF, 25, 70, 9E, 19] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffebe4163e0 5 bytes [FF, 25, 50, 9C, 31] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffebe4164a0 5 bytes [FF, 25, 90, 9B, 21] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffebe4165c0 5 bytes [FF, 25, 70, 9A, 1D] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffebe416640 5 bytes [FF, 25, F0, 99, 25] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffebe416700 5 bytes [FF, 25, 30, 99, 23] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffebe416720 5 bytes [FF, 25, 10, 99, 41] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffebe416740 5 bytes [FF, 25, F0, 98, 47] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffebe416fa0 5 bytes [FF, 25, 90, 90, 33] .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffebe4170e0 6 bytes {JMP QWORD [RIP+0x438f50]} .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffebe4182e0 6 bytes {JMP QWORD [RIP+0x357d50]} .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffebe418420 6 bytes {JMP QWORD [RIP+0x2b7c10]} .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffebe418540 6 bytes {JMP QWORD [RIP+0x2d7af0]} .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffebd83ca30 6 bytes {JMP QWORD [RIP+0x153600]} .text C:\WINDOWS\system32\svchost.exe[1156] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffebd8b0c60 6 bytes {JMP QWORD [RIP+0xbf3d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1256] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\WINDOWS\System32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} ? C:\WINDOWS\system32\apphelp.dll [2000] entry point in ".rdata" section 0000000074360380 .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffebb33c77b 3 bytes [8F, 38, 1D] .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffebb35d060 5 bytes JMP 00007ffebb3100d8 .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffebb363cd0 6 bytes {JMP QWORD [RIP+0x21c360]} .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffebb364650 6 bytes {JMP QWORD [RIP+0x23b9e0]} .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffebb3671d0 6 bytes {JMP QWORD [RIP+0x258e60]} .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffebb38e6c0 5 bytes [FF, 25, 70, 19, 1D] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffebe378ca0 6 bytes {JMP QWORD [RIP+0x217390]} .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffebe4152b0 5 bytes [FF, 25, 80, AD, 15] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffebe415450 5 bytes [FF, 25, E0, AB, 45] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffebe415650 5 bytes [FF, 25, E0, A9, 2F] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffebe415730 5 bytes [FF, 25, 00, A9, 3D] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffebe4157b0 5 bytes [FF, 25, 80, A8, 39] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffebe4158f0 5 bytes [FF, 25, 40, A7, 3F] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffebe4159d0 5 bytes [FF, 25, 60, A6, 1F] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffebe415a10 5 bytes [FF, 25, 20, A6, 37] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffebe415a90 5 bytes [FF, 25, A0, A5, 27] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffebe415b30 5 bytes [FF, 25, 00, A5, 29] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffebe415b70 5 bytes [FF, 25, C0, A4, 3B] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffebe415f60 5 bytes [FF, 25, D0, A0, 49] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffebe415fa0 5 bytes [FF, 25, 90, A0, 1B] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffebe4161c0 5 bytes [FF, 25, 70, 9E, 19] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffebe4163e0 5 bytes [FF, 25, 50, 9C, 31] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffebe4164a0 5 bytes [FF, 25, 90, 9B, 21] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffebe4165c0 5 bytes [FF, 25, 70, 9A, 1D] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffebe416640 5 bytes [FF, 25, F0, 99, 25] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffebe416700 5 bytes [FF, 25, 30, 99, 23] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffebe416720 5 bytes [FF, 25, 10, 99, 41] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffebe416740 5 bytes [FF, 25, F0, 98, 47] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffebe416fa0 5 bytes [FF, 25, 90, 90, 33] .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffebe4170e0 6 bytes {JMP QWORD [RIP+0x438f50]} .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffebe4182e0 6 bytes {JMP QWORD [RIP+0x357d50]} .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffebe418420 6 bytes {JMP QWORD [RIP+0x2b7c10]} .text C:\WINDOWS\system32\taskhostw.exe[3220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffebe418540 6 bytes {JMP QWORD [RIP+0x2d7af0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffebb33c77b 3 bytes [8F, 38, 1D] .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffebb35d060 5 bytes JMP 00007ffebb3100d8 .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffebb363cd0 6 bytes {JMP QWORD [RIP+0x21c360]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffebb364650 6 bytes {JMP QWORD [RIP+0x23b9e0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffebb3671d0 6 bytes {JMP QWORD [RIP+0x258e60]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffebb38e6c0 5 bytes [FF, 25, 70, 19, 1D] .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\Windows\System32\RuntimeBroker.exe[3352] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffebb33c77b 3 bytes [8F, 38, 1D] .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffebb35d060 5 bytes JMP 00007ffebb3100d8 .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffebb363cd0 6 bytes {JMP QWORD [RIP+0x21c360]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffebb364650 6 bytes {JMP QWORD [RIP+0x23b9e0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffebb3671d0 6 bytes {JMP QWORD [RIP+0x258e60]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffebb38e6c0 5 bytes [FF, 25, 70, 19, 1D] .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\WINDOWS\Explorer.EXE[3572] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} ? C:\WINDOWS\system32\apphelp.dll [3664] entry point in ".rdata" section 0000000074360380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [3664] entry point in ".rdata" section 0000000072edbd10 ? C:\WINDOWS\SYSTEM32\Windows.Networking.HostName.dll [3664] entry point in ".rdata" section 00000000683e3090 .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 363 00007ffebb33c77b 3 bytes [8F, 38, 1D] .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffebb35d060 5 bytes JMP 00007ffebb3100d8 .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW 00007ffebb363cd0 6 bytes {JMP QWORD [RIP+0x21c360]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffebb364650 6 bytes {JMP QWORD [RIP+0x23b9e0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffebb3671d0 6 bytes {JMP QWORD [RIP+0x258e60]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffebb38e6c0 5 bytes [FF, 25, 70, 19, 1D] .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\WINDOWS\system32\SearchIndexer.exe[4344] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffebe378ca0 6 bytes {JMP QWORD [RIP+0x217390]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffebe4152b0 5 bytes [FF, 25, 80, AD, 15] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffebe415450 5 bytes [FF, 25, E0, AB, 45] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffebe415650 5 bytes [FF, 25, E0, A9, 2F] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffebe415730 5 bytes [FF, 25, 00, A9, 3D] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffebe4157b0 5 bytes [FF, 25, 80, A8, 39] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffebe4158f0 5 bytes [FF, 25, 40, A7, 3F] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffebe4159d0 5 bytes [FF, 25, 60, A6, 1F] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffebe415a10 5 bytes [FF, 25, 20, A6, 37] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffebe415a90 5 bytes [FF, 25, A0, A5, 27] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffebe415b30 5 bytes [FF, 25, 00, A5, 29] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffebe415b70 5 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffebe415f60 5 bytes [FF, 25, D0, A0, 49] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffebe415fa0 5 bytes [FF, 25, 90, A0, 1B] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffebe4161c0 5 bytes [FF, 25, 70, 9E, 19] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffebe4163e0 5 bytes [FF, 25, 50, 9C, 31] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffebe4164a0 5 bytes [FF, 25, 90, 9B, 21] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffebe4165c0 5 bytes [FF, 25, 70, 9A, 1D] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffebe416640 5 bytes [FF, 25, F0, 99, 25] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffebe416700 5 bytes [FF, 25, 30, 99, 23] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffebe416720 5 bytes JMP 1a3b .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffebe416740 5 bytes [FF, 25, F0, 98, 47] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffebe416fa0 5 bytes [FF, 25, 90, 90, 33] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffebe4170e0 6 bytes JMP 1a3b .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffebe4182e0 6 bytes {JMP QWORD [RIP+0x357d50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffebe418420 6 bytes {JMP QWORD [RIP+0x2b7c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffebe418540 6 bytes {JMP QWORD [RIP+0x2d7af0]} ? C:\WINDOWS\SYSTEM32\iertutil.dll [2924] entry point in ".rdata" section 00000000725112d0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2924] entry point in ".rdata" section 0000000071b2bb10 ? C:\WINDOWS\system32\apphelp.dll [1996] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3364] entry point in ".rdata" section 00000000725112d0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [3364] entry point in ".rdata" section 0000000068e28fa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [3364] entry point in ".rdata" section 0000000072edbd10 ? C:\Windows\SYSTEM32\iertutil.dll [2748] entry point in ".rdata" section 00000000725112d0 ? C:\WINDOWS\system32\apphelp.dll [2748] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [5528] entry point in ".rdata" section 0000000074360380 ? C:\Windows\SYSTEM32\iertutil.dll [5528] entry point in ".rdata" section 00000000725112d0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5528] entry point in ".rdata" section 0000000071b2bb10 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5528] entry point in ".rdata" section 0000000072edbd10 ? C:\WINDOWS\system32\apphelp.dll [5752] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [5952] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [5960] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [5976] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [5984] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [6000] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [6008] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [6060] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [3772] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [6524] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [5660] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6324] entry point in ".rdata" section 00000000725112d0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6324] entry point in ".rdata" section 0000000071b2bb10 ? C:\WINDOWS\system32\apphelp.dll [3104] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [4248] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [4536] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [2732] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [612] entry point in ".rdata" section 0000000074360380 ? C:\WINDOWS\system32\apphelp.dll [5096] entry point in ".rdata" section 0000000074360380 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffebe378ca0 6 bytes {JMP QWORD [RIP+0x217390]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffebe4152b0 5 bytes [FF, 25, 80, AD, 15] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffebe415450 5 bytes [FF, 25, E0, AB, 45] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffebe415650 5 bytes [FF, 25, E0, A9, 2F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffebe415730 5 bytes [FF, 25, 00, A9, 3D] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffebe4157b0 5 bytes [FF, 25, 80, A8, 39] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffebe4158f0 5 bytes [FF, 25, 40, A7, 3F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffebe4159d0 5 bytes [FF, 25, 60, A6, 1F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffebe415a10 5 bytes [FF, 25, 20, A6, 37] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffebe415a90 5 bytes [FF, 25, A0, A5, 27] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffebe415b30 5 bytes [FF, 25, 00, A5, 29] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffebe415b70 5 bytes [FF, 25, C0, A4, 3B] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffebe415f60 5 bytes [FF, 25, D0, A0, 49] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffebe415fa0 5 bytes [FF, 25, 90, A0, 1B] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffebe4161c0 5 bytes [FF, 25, 70, 9E, 19] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffebe4163e0 5 bytes [FF, 25, 50, 9C, 31] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffebe4164a0 5 bytes [FF, 25, 90, 9B, 21] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffebe4165c0 5 bytes [FF, 25, 70, 9A, 1D] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ffebe416640 5 bytes [FF, 25, F0, 99, 25] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffebe416700 5 bytes [FF, 25, 30, 99, 23] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffebe416720 5 bytes [FF, 25, 10, 99, 41] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffebe416740 5 bytes [FF, 25, F0, 98, 47] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffebe416fa0 5 bytes [FF, 25, 90, 90, 33] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffebe4170e0 6 bytes {JMP QWORD [RIP+0x438f50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffebe4182e0 6 bytes {JMP QWORD [RIP+0x357d50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffebe418420 6 bytes {JMP QWORD [RIP+0x2b7c10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffebe418540 6 bytes {JMP QWORD [RIP+0x2d7af0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffebc171a90 6 bytes {JMP QWORD [RIP+0x41e5a0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffebc1728e0 6 bytes {JMP QWORD [RIP+0x1dd750]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffebc17d670 6 bytes {JMP QWORD [RIP+0x2529c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffebc180560 6 bytes {JMP QWORD [RIP+0x30fad0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffebc185eb0 6 bytes {JMP QWORD [RIP+0x2ea180]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffebc186fc0 5 bytes [FF, 25, 70, 90, 22] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffebc187220 6 bytes {JMP QWORD [RIP+0x3c8e10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffebc189480 6 bytes {JMP QWORD [RIP+0x286bb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffebc18cf00 6 bytes {JMP QWORD [RIP+0x5a3130]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW 00007ffebc18f9d0 6 bytes {JMP QWORD [RIP+0x340660]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffebc1923a0 6 bytes {JMP QWORD [RIP+0x57dc90]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffebc192f60 6 bytes {JMP QWORD [RIP+0x47d0d0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!GetKeyState 00007ffebc1930d0 6 bytes {JMP QWORD [RIP+0x45cf60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffebc195600 6 bytes {JMP QWORD [RIP+0x2baa30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffebc195df0 6 bytes {JMP QWORD [RIP+0x37a240]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffebc196030 6 bytes {JMP QWORD [RIP+0x1da000]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SetWinEventHook 00007ffebc197030 6 bytes {JMP QWORD [RIP+0x1f9000]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffebc197820 6 bytes {JMP QWORD [RIP+0x298810]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffebc1978a0 6 bytes {JMP QWORD [RIP+0x258790]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffebc199060 6 bytes {JMP QWORD [RIP+0x5b6fd0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffebc199b20 6 bytes {JMP QWORD [RIP+0x196510]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffebc199d60 6 bytes {JMP QWORD [RIP+0x5d62d0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffebc19d320 6 bytes {JMP QWORD [RIP+0x392d10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffebc19d820 6 bytes {JMP QWORD [RIP+0x312810]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffebc19e520 6 bytes {JMP QWORD [RIP+0x531b10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffebc1a2ca0 6 bytes {JMP QWORD [RIP+0x4cd390]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffebc1a2fc0 6 bytes {JMP QWORD [RIP+0x4ad070]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffebc1a2fe0 6 bytes {JMP QWORD [RIP+0x42d050]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffebc1a3120 6 bytes {JMP QWORD [RIP+0x40cf10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffebc1a4420 6 bytes {JMP QWORD [RIP+0x4ebc10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffebc1a89e0 6 bytes {JMP QWORD [RIP+0x507650]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffebc1aa140 6 bytes {JMP QWORD [RIP+0x545ef0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffebc1aa1c0 6 bytes {JMP QWORD [RIP+0x485e70]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!EndTask 00007ffebc1cd0b0 6 bytes {JMP QWORD [RIP+0x122f80]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffebc1f0eb0 6 bytes {JMP QWORD [RIP+0x11f180]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffebc1f84e0 6 bytes {JMP QWORD [RIP+0x377b50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffebc1f8c30 6 bytes {JMP QWORD [RIP+0x2f7400]} ? C:\WINDOWS\system32\apphelp.dll [1136] entry point in ".rdata" section 0000000074360380 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\svchost.exe[824] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[824] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[860] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\dwm.exe[940] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\dwm.exe[940] @ C:\WINDOWS\SYSTEM32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\dwm.exe[940] @ C:\WINDOWS\SYSTEM32\udwm.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\dwm.exe[940] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\dwm.exe[940] @ C:\WINDOWS\SYSTEM32\dwmghost.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\dwm.exe[940] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[1008] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[1008] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\System32\svchost.exe[1020] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\nvvsvc.exe[1264] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\System32\spoolsv.exe[1508] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\svchost.exe[2016] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\sihost.exe[3144] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3152] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\taskhostw.exe[3220] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\taskhostw.exe[3220] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\taskhostw.exe[3220] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\Windows\System32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\WINDOWS\system32\Windows.Internal.Shell.Broker.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\Windows\System32\TwinUI.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.589_none_a2ddb3caa539acce\comctl32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\RuntimeBroker.exe[3352] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.589_none_a2ddb3caa539acce\comctl32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\Windows\System32\TwinUI.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\DUI70.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\UIRibbon.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\Explorer.EXE[3572] @ C:\WINDOWS\system32\wpdshext.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[4228] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[4228] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[4228] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4344] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4344] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\SearchIndexer.exe[4344] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4960] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\StikyNot.exe[2212] @ C:\Windows\System32\StikyNot.exe[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\StikyNot.exe[2212] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\Windows\System32\StikyNot.exe[2212] @ C:\Windows\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffebb960000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[7800] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffebb960000] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [624:736] fffff9607e3c4030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 665733900 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS_s Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0024d2fc2ccd Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ??r.?, ?pa? ?05 ?16, 11:00:02 AM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 14457 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 4810 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA6 0xF3 0x22 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA6 0x5B 0xE7 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA6 0x8B 0x5E 0xAE ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome? ---- EOF - GMER 2.2 ----