GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-15 20:10:26 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 WDC_WD10EZEX-60M2NA0 rev.03.01A03 931,51GB Running: 0h7bwhic.exe; Driver: C:\Users\Adrian\AppData\Local\Temp\ufldqpow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001f2100 15 bytes [80, 9C, F0, 01, 80, B5, 6B, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960001f2110 11 bytes [00, DD, FB, FF, C0, F1, D6, ...] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\services.exe[668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\services.exe[668] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\services.exe[668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\services.exe[668] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffdc1b7cc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffdc1b8f7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\services.exe[668] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffdc1b7cc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffdc1b8f7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffdc1b7cc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffdc1b8f7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\GDI32.dll!BitBlt 00007ffdc18c3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\GDI32.dll!CreateDCW 00007ffdc18d11b0 6 bytes {JMP QWORD [RIP+0x17ee80]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\GDI32.dll!CreateDCA 00007ffdc18d1320 6 bytes {JMP QWORD [RIP+0x15ed10]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\GDI32.dll!MaskBlt 00007ffdc18e7af0 6 bytes {JMP QWORD [RIP+0x1f8540]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\GDI32.dll!StretchBlt 00007ffdc18e8040 6 bytes {JMP QWORD [RIP+0x237ff0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\GDI32.dll!GetPixel 00007ffdc18e8150 6 bytes {JMP QWORD [RIP+0x187ee0]} .text C:\Windows\system32\dwm.exe[976] C:\Windows\system32\GDI32.dll!PlgBlt 00007ffdc19377c0 6 bytes {JMP QWORD [RIP+0x1c8870]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\System32\svchost.exe[76] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffdc1b7cc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffdc1b8f7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes JMP 6d2e30 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffdc1b7cc20 6 bytes {JMP QWORD [RIP+0x163410]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffdc1b8f7e0 6 bytes {JMP QWORD [RIP+0x130850]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\dashost.exe[1584] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\System32\tcpsvcs.exe[1708] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[2140] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\taskhostex.exe[2296] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\system32\svchost.exe[2412] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes JMP 74535353 .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\GDI32.dll!BitBlt 00007ffdc18c3e80 6 bytes {JMP QWORD [RIP+0x41c1b0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\GDI32.dll!CreateDCW 00007ffdc18d11b0 6 bytes {JMP QWORD [RIP+0x24ee80]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\GDI32.dll!CreateDCA 00007ffdc18d1320 6 bytes {JMP QWORD [RIP+0x22ed10]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\GDI32.dll!MaskBlt 00007ffdc18e7af0 6 bytes {JMP QWORD [RIP+0x418540]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\GDI32.dll!StretchBlt 00007ffdc18e8040 6 bytes JMP 740061 .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\GDI32.dll!GetPixel 00007ffdc18e8150 6 bytes {JMP QWORD [RIP+0x257ee0]} .text C:\Windows\Explorer.EXE[2872] C:\Windows\system32\GDI32.dll!PlgBlt 00007ffdc19377c0 6 bytes {JMP QWORD [RIP+0x3e8870]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes JMP 0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes JMP 4e0026 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes JMP 40c5e9d0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes JMP 0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes JMP 0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes JMP 447205c0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes JMP 10376 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes JMP 1000100 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes JMP 0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes JMP 1cda .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes JMP 0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 11] .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfc100d8 .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 14] .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x137c40]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x175c50]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x133f40]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x75ee60]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x73ee10]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6bee00]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x69edf0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x77eb50]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x79eb00]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x7de3a0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x71e380]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x29d0d0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5bba60]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x2db150]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x6daf30]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x81ab60]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x5f9680]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2588a0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x276cc0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x1f4120]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1b3480]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x2f2890]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x632560]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x20bfa0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x7eb4c0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2aae90]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x819840]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 21] .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x6d8b80]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x82c050]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x64a3c0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x5e2690]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x77fca0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x2ff650]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x17f290]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x116ac0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x5cf1b0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x54e810]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\GDI32.dll!BitBlt 00007ffdc18c3e80 6 bytes {JMP QWORD [RIP+0x1fc1b0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\GDI32.dll!CreateDCW 00007ffdc18d11b0 6 bytes {JMP QWORD [RIP+0x17ee80]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\GDI32.dll!CreateDCA 00007ffdc18d1320 6 bytes {JMP QWORD [RIP+0x15ed10]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\GDI32.dll!MaskBlt 00007ffdc18e7af0 6 bytes {JMP QWORD [RIP+0x1f8540]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\GDI32.dll!StretchBlt 00007ffdc18e8040 6 bytes {JMP QWORD [RIP+0x237ff0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\GDI32.dll!GetPixel 00007ffdc18e8150 6 bytes {JMP QWORD [RIP+0x187ee0]} .text C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] C:\Windows\system32\GDI32.dll!PlgBlt 00007ffdc19377c0 6 bytes {JMP QWORD [RIP+0x1c8870]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbfc28d06 3 bytes [04, 73, 2F] .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbfc3b0a0 5 bytes JMP 00007ffdbfbb00d8 .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbfc43440 5 bytes [FF, 25, F0, CB, 32] .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbfc783f1 5 bytes {JMP QWORD [RIP+0x317c40]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffdbfc7a3e0 6 bytes {JMP QWORD [RIP+0x355c50]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffdbfc9c0f0 6 bytes {JMP QWORD [RIP+0x313f40]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!MoveWindow 00007ffdc24f11d0 6 bytes {JMP QWORD [RIP+0x79ee60]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SetParent 00007ffdc24f1220 6 bytes {JMP QWORD [RIP+0x77ee10]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffdc24f1230 6 bytes {JMP QWORD [RIP+0x6fee00]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendInput 00007ffdc24f1240 6 bytes {JMP QWORD [RIP+0x6dedf0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffdc24f14e0 6 bytes {JMP QWORD [RIP+0x7beb50]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!BlockInput 00007ffdc24f1530 6 bytes {JMP QWORD [RIP+0x7deb00]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffdc24f1c90 6 bytes {JMP QWORD [RIP+0x81e3a0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffdc24f1cb0 6 bytes {JMP QWORD [RIP+0x75e380]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!PostMessageW 00007ffdc24f2f60 6 bytes {JMP QWORD [RIP+0x2dd0d0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdc24f45d1 5 bytes {JMP QWORD [RIP+0x5fba60]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffdc24f4ee0 6 bytes {JMP QWORD [RIP+0x31b150]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffdc24f5101 5 bytes {JMP QWORD [RIP+0x71af30]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffdc24f54d0 6 bytes {JMP QWORD [RIP+0x85ab60]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendMessageW 00007ffdc24f5710 6 bytes {JMP QWORD [RIP+0x5ba920]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffdc24f69b0 6 bytes {JMP QWORD [RIP+0x639680]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffdc24f7790 6 bytes {JMP QWORD [RIP+0x2988a0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!PostMessageA 00007ffdc24f9370 6 bytes {JMP QWORD [RIP+0x2b6cc0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffdc24fbf10 6 bytes {JMP QWORD [RIP+0x234120]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!mouse_event 00007ffdc24fcbb0 6 bytes {JMP QWORD [RIP+0x1f3480]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendMessageA 00007ffdc24fd7a0 6 bytes {JMP QWORD [RIP+0x332890]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffdc24fdad0 6 bytes {JMP QWORD [RIP+0x672560]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffdc2504091 5 bytes {JMP QWORD [RIP+0x24bfa0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffdc2504b70 6 bytes {JMP QWORD [RIP+0x82b4c0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffdc25051a0 6 bytes {JMP QWORD [RIP+0x2eae90]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!EnableWindow 00007ffdc25167f0 6 bytes {JMP QWORD [RIP+0x859840]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffdc2516c50 5 bytes [FF, 25, E0, 93, 25] .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffdc25174b0 6 bytes {JMP QWORD [RIP+0x718b80]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffdc2523fe0 6 bytes {JMP QWORD [RIP+0x86c050]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffdc2525c70 6 bytes {JMP QWORD [RIP+0x68a3c0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffdc252d9a0 6 bytes {JMP QWORD [RIP+0x622690]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffdc2530390 6 bytes {JMP QWORD [RIP+0x7bfca0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffdc25309e0 6 bytes {JMP QWORD [RIP+0x59f650]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffdc2550da0 6 bytes {JMP QWORD [RIP+0x1bf290]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!keybd_event 00007ffdc2579570 6 bytes {JMP QWORD [RIP+0x156ac0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffdc2580e80 6 bytes {JMP QWORD [RIP+0x60f1b0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffdc2581820 6 bytes {JMP QWORD [RIP+0x58e810]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\GDI32.dll!BitBlt 00007ffdc18c3e80 6 bytes {JMP QWORD [RIP+0xbfc1b0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\GDI32.dll!CreateDCW 00007ffdc18d11b0 6 bytes {JMP QWORD [RIP+0x24ee80]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\GDI32.dll!CreateDCA 00007ffdc18d1320 6 bytes {JMP QWORD [RIP+0x22ed10]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\GDI32.dll!MaskBlt 00007ffdc18e7af0 6 bytes {JMP QWORD [RIP+0xbf8540]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\GDI32.dll!StretchBlt 00007ffdc18e8040 6 bytes {JMP QWORD [RIP+0xdb7ff0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\GDI32.dll!GetPixel 00007ffdc18e8150 6 bytes {JMP QWORD [RIP+0x257ee0]} .text C:\Program Files\K2T\WTW\wtw.exe[3668] C:\Windows\system32\GDI32.dll!PlgBlt 00007ffdc19377c0 6 bytes {JMP QWORD [RIP+0xd48870]} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\services.exe[668] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\services.exe[668] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\services.exe[668] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\lsass.exe[688] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\lsass.exe[688] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\lsass.exe[688] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[812] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[812] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[812] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[864] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[864] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[864] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\dwm.exe[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\Shell32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\uDWM.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dwm.exe[976] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[76] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[76] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[76] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[288] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[288] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[288] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[288] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[288] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[288] @ c:\windows\system32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[408] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[408] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[408] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[824] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[824] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[824] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[824] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\svchost.exe[824] @ C:\Windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\spoolsv.exe[1328] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\spoolsv.exe[1328] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\spoolsv.exe[1328] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\spoolsv.exe[1328] @ C:\Windows\System32\localspl.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\spoolsv.exe[1328] @ C:\Windows\System32\PrintIsolationProxy.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\spoolsv.exe[1328] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\spoolsv.exe[1328] @ C:\Windows\system32\spool\PRTPROCS\x64\winprint.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1372] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1372] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1372] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1372] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft LifeCam\MSCamS64.exe[1576] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\dashost.exe[1584] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dashost.exe[1584] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dashost.exe[1584] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\dashost.exe[1584] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\tcpsvcs.exe[1708] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\tcpsvcs.exe[1708] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\System32\tcpsvcs.exe[1708] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1728] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1728] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1728] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[1728] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[2140] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[2140] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[2140] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\taskhostex.exe[2296] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\system32\svchost.exe[2412] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[2412] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\system32\svchost.exe[2412] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\Comctl32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\twinui.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18123_none_932c6b81474ee6d2\gdiplus.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\authui.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\WSShared.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\ieframe.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3812] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\system32\shell32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18123_none_932c6b81474ee6d2\gdiplus.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\comctl32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Learnpulse\Screenpresso\Screenpresso.exe[2480] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\Java\jre1.8.0_101\bin\javaw.exe[3580] @ C:\Windows\system32\d3d9.dll[GDI32.dll!DeleteDC] [7ffdc1a10000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Program Files\K2T\WTW\mfc120u.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18123_none_932c6b81474ee6d2\gdiplus.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\comdlg32.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Program Files\K2T\WTW\libLexer.module[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\DUser.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] IAT C:\Program Files\K2T\WTW\wtw.exe[3668] @ C:\Windows\system32\DUI70.dll[GDI32.dll!DeleteDC] [7ffdc1ae0000] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [624:652] fffff960008992d0 Thread C:\Windows\system32\csrss.exe [624:696] fffff960008992d0 Thread C:\Windows\Explorer.EXE [2872:1464] 00007ffd9fc781f4 Thread C:\Windows\Explorer.EXE [2872:1428] 00007ffd9fb3bdf4 Thread C:\Windows\Explorer.EXE [2872:4148] 00007ffdb62f1120 Thread C:\Windows\Explorer.EXE [2872:2744] 00007ffdb6edab50 ---- Services - GMER 2.2 ---- Service C:\Gry\GalaxyClient\GalaxyClientService.exe (*** hidden *** ) [DISABLED] GalaxyClientService <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x1B 0x43 0x4D 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x27 0x9B 0xAA 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x7B 0xA5 0x4F 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x27 0x9B 0xAA 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 395 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM0302H9XQ204171_07_07D8_FA+SAM011EHMDYC53510_34_07D5_0D^1B4826B1AE882D7217E9A22917836300@Timestamp 0x31 0x13 0xF7 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1763421793 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID a10c9198-253d-409e-89e1-f5c9a8b Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{9c61ef65-c86e-40a4-9b23-5416169fffa0} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{6904c658-54e3-4cf8-8158-da03501c7f4e}@LastProbeTime 1476556524 Reg HKLM\SYSTEM\CurrentControlSet\Services\GalaxyClientService@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\GalaxyClientService Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\84-a4-23-4a-1d-e9@AddressCreationTimestamp 0x0A 0xEC 0x12 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\84-a4-23-4a-1d-e9@TeredoAddress 2001:0:5ef5:79fd:18a7:3e4f:acfa:f84e Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\84-a4-23-4a-1d-e9@ClientLocalPort 49584 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\84-a4-23-4a-1d-e9@UPnPExternalPort 49584 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?So?, ?pa? ?15 ?16, 06:39:32??????h???????h???????????????h???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 9645 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3280 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 394 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F156E57-9EA5-41AE-A1C5-711F30ABD53A}@LeaseObtainedTime 1476549320 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F156E57-9EA5-41AE-A1C5-711F30ABD53A}@T1 1476592520 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F156E57-9EA5-41AE-A1C5-711F30ABD53A}@T2 1476624920 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F156E57-9EA5-41AE-A1C5-711F30ABD53A}@LeaseTerminatesTime 1476635720 Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList@MRUList fgcjhaibe Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithList@MRUList cabed Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSI_LiveUpdate_S_b64ac52c369df1a689db2753cc2a8343ae32db_5ea7750b_09f8b94d ---- Files - GMER 2.2 ---- File C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Starbound [GOG.com] 0 bytes File C:\Gry\Starbound 0 bytes File C:\Users\Adrian\AppData\Local\Microsoft\Windows\Explorer\TileCacheLogo-5381703_100.dat 0 bytes ---- EOF - GMER 2.2 ----