GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-27 06:09:54 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 ST1000LM014-SSHD-8GB rev.LVD3 931,51GB Running: t3hpbnk4.exe; Driver: C:\Users\pc\AppData\Local\Temp\fxlyrpog.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff848175050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff848196220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa9ee60]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa7ee10]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9fee00]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x9dedf0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xabeb50]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xb4eb00]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb8e3a0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa5e380]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x41cc50]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x45caa0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x84bd30]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xbcab60]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x78a920]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x939d90]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x379cb0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x3d6c70]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x336140]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [97, 00] .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xa102c0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb9c900]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 3A] .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xd7ba30]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xa2b4c0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x388f40]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x41aa90]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x3da720]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x459eb0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xd7bb10]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x989bb0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x923a10]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xb31080]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x7f0a30]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2ff0c0]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x296940]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x90f030]} .text C:\WINDOWS\system32\services.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x88e670]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\lsass.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff848175050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff848196220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa9ee60]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa7ee10]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9fee00]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x9dedf0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xabeb50]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xb4eb00]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb8e3a0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa5e380]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x41cc50]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x45caa0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x84bd30]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xbcab60]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x78a920]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x939d90]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x379cb0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x3d6c70]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x336140]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [97, 00] .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xa102c0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb9c900]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 3A] .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xd7ba30]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xa2b4c0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x388f40]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x41aa90]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x3da720]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x459eb0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xd7bb10]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x989bb0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x923a10]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xb31080]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x7f0a30]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2ff0c0]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x296940]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x90f030]} .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x88e670]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff848175050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff848196220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa9ee60]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa7ee10]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9fee00]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x9dedf0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xabeb50]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xb4eb00]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb8e3a0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa5e380]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x41cc50]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x45caa0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x84bd30]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xbcab60]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x78a920]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x939d90]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x379cb0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x3d6c70]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x336140]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [97, 00] .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xa102c0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb9c900]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 3A] .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xd7ba30]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xa2b4c0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x388f40]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x41aa90]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x3da720]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x459eb0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xd7bb10]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x989bb0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x923a10]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xb31080]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x7f0a30]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2ff0c0]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x296940]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x90f030]} .text C:\WINDOWS\system32\svchost.exe[900] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x88e670]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xdcee60]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xdaee10]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xdeeb50]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xe0eb00]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xe4e3a0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xd8e380]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xe8ab60]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xe5c900]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xe9ba30]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x13abb10]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xdf1080]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\WINDOWS\system32\dwm.exe[984] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x147ee60]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x145ee10]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xe7ee00]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xe5edf0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x149eb50]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x14beb00]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x14fe3a0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x143e380]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x9dcc50]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xa1caa0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0xa9bd30]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x153ab60]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xa5a920]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes JMP 640020 .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x939cb0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x996c70]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x846140]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes JMP 1000100 .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes JMP 1000100 .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xe902c0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x150c900]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 96] .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x154ba30]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x120b4c0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x948f40]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x9daa90]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x99a720]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xa19eb0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x154bb10]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes JMP 14bdf .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x14a1080]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0xa40a30]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x8bf0c0]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x7a6940]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xb1f030]} .text C:\WINDOWS\system32\nvvsvc.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0xa2e670]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes JMP 71e860 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes JMP 147df80 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes JMP 3e12c278 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes JMP 202540 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x15dee60]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x15bee10]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x153ee00]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes JMP 160014 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x15feb50]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x161eb00]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x165e3a0]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x159e380]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0xbacc50]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x143bd30]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x169ab60]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0xa99cb0]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0xb66c70]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0xa56140]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [4B, 01] .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x166c900]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, B3] .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x16aba30]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x156b4c0]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0xaa8f40]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0xbaaa90]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0xb6a720]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes JMP 300030 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x16abb10]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x14c9bb0]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x1463a10]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1601080]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0xa1f0c0]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x9b6940]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x13ce670]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\WINDOWS\system32\nvvsvc.exe[408] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\System32\svchost.exe[424] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff848175050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff848196220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa9ee60]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa7ee10]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9fee00]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x9dedf0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xabeb50]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xb4eb00]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb8e3a0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa5e380]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x41cc50]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x45caa0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x84bd30]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xbcab60]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x78a920]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x939d90]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x379cb0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x3d6c70]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x336140]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [97, 00] .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xa102c0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb9c900]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 3A] .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xd7ba30]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xa2b4c0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x388f40]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x41aa90]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x3da720]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x459eb0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xd7bb10]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x989bb0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x923a10]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xb31080]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x7f0a30]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2ff0c0]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x296940]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x90f030]} .text C:\WINDOWS\system32\svchost.exe[800] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x88e670]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\System32\svchost.exe[1044] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes CALL 440037 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes JMP 6 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x148ee60]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x146ee10]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xe8ee00]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xe6edf0]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x14aeb50]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x14ceb00]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x144e380]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x9dcc50]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xa1caa0]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0xa9bd30]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x154ab60]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xa5a920]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xb49d90]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x939cb0]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x996c70]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x846140]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [B8, 00] .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x151c900]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 96] .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x155ba30]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x13cb4c0]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x948f40]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x9daa90]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x99a720]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xa19eb0]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x155bb10]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb99bb0]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xb33a10]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x14b1080]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes JMP bee80 .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x7a6940]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xb1f030]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1072] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0xa2e670]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\System32\spoolsv.exe[1528] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff848175050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff848196220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa9ee60]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa7ee10]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9fee00]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x9dedf0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xabeb50]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xb4eb00]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb8e3a0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa5e380]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x41cc50]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x45caa0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x84bd30]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xbcab60]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x78a920]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x939d90]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x379cb0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x3d6c70]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x336140]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [97, 00] .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xa102c0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb9c900]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 3A] .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xd7ba30]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xa2b4c0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x388f40]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x41aa90]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x3da720]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x459eb0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xd7bb10]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x989bb0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x923a10]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xb31080]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x7f0a30]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2ff0c0]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x296940]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x90f030]} .text C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x88e670]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\System32\svchost.exe[1764] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\dashost.exe[1784] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x15eee60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x15cee10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x154ee00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x152edf0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x160eb50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x162eb00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x166e3a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x15ae380]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0xbacc50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xe6caa0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x144bd30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x16aab60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xeaa920]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x1489d90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0xa99cb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0xb66c70]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0xa56140]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [4C, 01] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x15602c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x167c900]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, B3] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x16bba30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x157b4c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0xaa8f40]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0xbaaa90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0xb6a720]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xe69eb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x16bbb10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x14d9bb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x1473a10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1611080]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x13a0a30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0xa1f0c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x9b6940]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x145f030]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x13de670]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x147ee60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x145ee10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xe7ee00]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xe5edf0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x149eb50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x14beb00]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x14fe3a0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x143e380]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x9dcc50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xa1caa0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0xa9bd30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x153ab60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xa5a920]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xb49d90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x939cb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x996c70]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x846140]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [B8, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x150c900]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 96] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x154ba30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x120b4c0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x948f40]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x9daa90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x99a720]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xa19eb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x154bb10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb99bb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xb33a10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x14a1080]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x8bf0c0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x7a6940]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xb1f030]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0xa2e670]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 37] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 39] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x18c2550]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1900540]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x18c3f60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x148ee60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x146ee10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xe8ee00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xe6edf0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x14aeb50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x14ceb00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x150e3a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x144e380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x9dcc50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xa1caa0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0xa9bd30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x154ab60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xa5a920]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xb49d90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x939cb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x996c70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x846140]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [B8, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xea02c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x151c900]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 96] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x155ba30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x13cb4c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x948f40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x9daa90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x99a720]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xa19eb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x155bb10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb99bb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xb33a10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x14b1080]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0xa40a30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x8bf0c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x7a6940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xb1f030]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0xa2e670]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 37] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 39] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x18c2550]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1900540]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x18c3f60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x15dee60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x15bee10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x153ee00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x151edf0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x15feb50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x161eb00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x165e3a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x159e380]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0xbacc50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xe5caa0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x143bd30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x169ab60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xe9a920]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x1479d90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0xa99cb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0xb66c70]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0xa56140]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [4B, 01] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x15502c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x166c900]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, B3] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x16aba30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x156b4c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0xaa8f40]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0xbaaa90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0xb6a720]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xe59eb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x16abb10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x14c9bb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x1463a10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1601080]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x11e0a30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0xa1f0c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x9b6940]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x144f030]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x13ce670]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes JMP bac .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes JMP 0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes JMP 0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\svchost.exe[2180] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes JMP 19 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes JMP 0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes JMP 367abb81 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes JMP 0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 37] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 39] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x18c2550]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1900540]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x18c3f60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x148ee60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x146ee10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xe8ee00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xe6edf0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x14aeb50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x14ceb00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x150e3a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x144e380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x9dcc50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xa1caa0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0xa9bd30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x154ab60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xa5a920]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xb49d90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x939cb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x996c70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x846140]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [B8, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xea02c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x151c900]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 96] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x155ba30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x13cb4c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x948f40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x9daa90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x99a720]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xa19eb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x155bb10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb99bb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xb33a10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x14b1080]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0xa40a30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x8bf0c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x7a6940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xb1f030]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0xa2e670]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\WINDOWS\system32\conhost.exe[2456] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes JMP ffffffff .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes JMP 14c2c950 .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes JMP 48170dd0 .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes JMP 200027 .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\WINDOWS\Explorer.EXE[2236] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\svchost.exe[2544] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\svchost.exe[2624] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\Windows\System32\WUDFHost.exe[2636] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 37] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 39] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x18c2550]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1900540]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x18c3f60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x15eee60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x15cee10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x154ee00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x152edf0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x160eb50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x162eb00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x166e3a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x15ae380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0xbacc50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xe6caa0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x144bd30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x16aab60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xeaa920]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x1489d90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0xa99cb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0xb66c70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0xa56140]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [4C, 01] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x15602c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x167c900]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, B3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x16bba30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x157b4c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0xaa8f40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0xbaaa90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0xb6a720]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xe69eb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x16bbb10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x14d9bb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x1473a10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1611080]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x13a0a30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0xa1f0c0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x9b6940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x145f030]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x13de670]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\WINDOWS\system32\conhost.exe[3440] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\WINDOWS\system32\taskhostex.exe[3456] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes JMP 6f002d .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes JMP 630061 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes JMP ffffffff .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes JMP 2e2720 .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Windows\System32\igfxtray.exe[4080] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes JMP 8901f4 .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\WINDOWS\system32\igfxsrvc.exe[1664] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes JMP 339ca0 .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes JMP 6f0052 .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Windows\System32\hkcmd.exe[3164] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes JMP 730065 .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Windows\System32\igfxpers.exe[3272] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes JMP 1000100 .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes JMP 10 .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes JMP 5f0076 .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Program Files\IDT\WDM\sttray64.exe[1728] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0x15dee60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0x15bee10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x153ee00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x151edf0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x15feb50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x161eb00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x165e3a0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0x159e380]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0xbacc50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0xe5caa0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x143bd30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x169ab60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0xe9a920]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x1479d90]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0xa99cb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0xb66c70]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0xa56140]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [4B, 01] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x15502c0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x166c900]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, B3] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x16aba30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x156b4c0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0xaa8f40]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0xbaaa90]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0xb6a720]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0xe59eb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x16abb10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x14c9bb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x1463a10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1601080]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x11e0a30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0xa1f0c0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x9b6940]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x144f030]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x13ce670]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x46c970]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x3ee3a0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x3ce230]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x4af300]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x3ff1f0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x468440]} .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x42c300]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes JMP 1 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xdcee60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xdaee10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xdeeb50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xe0eb00]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xe4e3a0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xd8e380]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xe8ab60]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes JMP 380037 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xe5c900]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xe9ba30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x13abb10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xdf1080]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes JMP 0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3616] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xdeee60]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xdcee10]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xe0eb50]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xe2eb00]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xe6e3a0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xdae380]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xeaab60]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xe7c900]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x13cba30]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xd7b4c0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x141bb10]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xe11080]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\Windows\System32\rundll32.exe[2228] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 3A] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x3a2550]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x3e0540]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x3a3f60]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes JMP 0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes JMP 3062430 .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff8485236c0 6 bytes {JMP QWORD [RIP+0x25c970]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff848531c90 6 bytes {JMP QWORD [RIP+0x1de3a0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff848531e00 6 bytes {JMP QWORD [RIP+0x1be230]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff848540d30 6 bytes {JMP QWORD [RIP+0x29f300]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff848540e40 6 bytes {JMP QWORD [RIP+0x1ef1f0]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff848547bf0 6 bytes {JMP QWORD [RIP+0x258440]} .text C:\WINDOWS\system32\WLANExt.exe[760] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff8485a3d30 6 bytes {JMP QWORD [RIP+0x21c300]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 14] .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 16] .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x162550]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1a0540]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x163f60]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xe9ee60]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xe7ee10]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0xb8ee00]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0xb6edf0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0x121eb50]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0x143eb00]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0x147e3a0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xe5e380]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x99bd30]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0x14bab60]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0xa59d90]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [A9, 00] .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0xba02c0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0x148c900]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0x14cba30]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0xbbb4c0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0x14cbb10]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0xb19bb0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0xa43a10]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0x1421080]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0xa2f030]} .text C:\WINDOWS\system32\conhost.exe[3388] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x9ae670]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff8464a8d06 3 bytes [04, 73, 19] .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff8464d23e0 5 bytes [FF, 25, 50, DC, 1B] .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff8464dfcf0 5 bytes JMP 00007ff8464900d8 .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ff8464fdae1 5 bytes {JMP QWORD [RIP+0x1b2550]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ff8464ffaf0 6 bytes {JMP QWORD [RIP+0x1f0540]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ff84651c0d0 6 bytes {JMP QWORD [RIP+0x1b3f60]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff847fd11d0 6 bytes {JMP QWORD [RIP+0xa5ee60]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff847fd1220 6 bytes {JMP QWORD [RIP+0xa3ee10]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff847fd1230 6 bytes {JMP QWORD [RIP+0x9bee00]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff847fd1240 6 bytes {JMP QWORD [RIP+0x99edf0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff847fd14e0 6 bytes {JMP QWORD [RIP+0xa7eb50]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff847fd1530 6 bytes {JMP QWORD [RIP+0xa9eb00]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff847fd1c90 6 bytes {JMP QWORD [RIP+0xb4e3a0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff847fd1cb0 6 bytes {JMP QWORD [RIP+0xa1e380]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff847fd33e0 6 bytes {JMP QWORD [RIP+0x3dcc50]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff847fd3590 6 bytes {JMP QWORD [RIP+0x41caa0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff847fd4301 5 bytes {JMP QWORD [RIP+0x78bd30]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff847fd54d0 6 bytes {JMP QWORD [RIP+0xb8ab60]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff847fd5710 6 bytes {JMP QWORD [RIP+0x45a920]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff847fd62a0 6 bytes {JMP QWORD [RIP+0x849d90]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff847fd6380 6 bytes {JMP QWORD [RIP+0x339cb0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff847fd93c0 6 bytes {JMP QWORD [RIP+0x396c70]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff847fd9ef0 6 bytes {JMP QWORD [RIP+0x2f6140]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff847fdb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ff847fdb7e4 2 bytes [93, 00] .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff847fdfd71 5 bytes {JMP QWORD [RIP+0x9d02c0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff847fe3730 6 bytes {JMP QWORD [RIP+0xb5c900]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff847fe3c50 5 bytes [FF, 25, E0, C3, 36] .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff847fe4600 6 bytes {JMP QWORD [RIP+0xb9ba30]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff847fe4b70 6 bytes {JMP QWORD [RIP+0x9eb4c0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff847fe70f1 5 bytes {JMP QWORD [RIP+0x348f40]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff847ff55a0 6 bytes {JMP QWORD [RIP+0x3daa90]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff847ff5910 6 bytes {JMP QWORD [RIP+0x39a720]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff847ff6180 6 bytes {JMP QWORD [RIP+0x419eb0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff848004520 6 bytes {JMP QWORD [RIP+0xb9bb10]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff848006480 6 bytes {JMP QWORD [RIP+0x949bb0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff84800c620 6 bytes {JMP QWORD [RIP+0x8e3a10]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff84800efb0 6 bytes {JMP QWORD [RIP+0xa81080]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff84800f600 6 bytes {JMP QWORD [RIP+0x440a30]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff848030f70 6 bytes {JMP QWORD [RIP+0x2bf0c0]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff8480596f0 6 bytes {JMP QWORD [RIP+0x256940]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff848061000 6 bytes {JMP QWORD [RIP+0x8cf030]} .text C:\Windows\System32\WUDFHost.exe[4004] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff8480619c0 6 bytes {JMP QWORD [RIP+0x79e670]} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\lsass.exe[756] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\lsass.exe[756] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\lsass.exe[756] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[844] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[844] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[844] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[900] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[900] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[900] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\dwm.exe[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\dwmredir.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\dwm.exe[984] @ C:\WINDOWS\system32\uDWM.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[1000] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\nvvsvc.exe[1000] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\nvvsvc.exe[1000] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\nvvsvc.exe[1000] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[304] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\Windows\System32\Dxtrans.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\Windows\System32\ddrawex.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\Windows\System32\DDRAW.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\nvvsvc.exe[408] @ C:\Windows\System32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\System32\svchost.exe[424] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[424] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[424] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[424] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[800] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[800] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[800] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[800] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[800] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[800] @ c:\windows\system32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[912] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[912] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[912] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[1044] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[1044] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[1044] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[1044] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\IDT\WDM\STacSV64.exe[1072] @ C:\WINDOWS\SYSTEM32\ATL.DLL[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\IDT\WDM\STacSV64.exe[1072] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\IDT\WDM\STacSV64.exe[1072] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\IDT\WDM\STacSV64.exe[1072] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\IDT\WDM\STacSV64.exe[1072] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[1272] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[1272] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[1272] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\System32\localspl.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\System32\PrintIsolationProxy.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\system32\spool\PRTPROCS\x64\winprint.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\system32\spool\drivers\x64\3\PrintConfig.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\SYSTEM32\prntvpt.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\spoolsv.exe[1528] @ C:\WINDOWS\System32\DriverStore\FileRepository\prnms003.inf_amd64_42a3d67721cb9aa8\Amd64\PrintConfig.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[1564] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[1564] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[1564] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[1564] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[1764] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[1764] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\System32\svchost.exe[1764] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\dashost.exe[1784] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\dashost.exe[1784] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\dashost.exe[1784] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] @ C:\WINDOWS\SYSTEM32\mfc110.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1812] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1840] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1920] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] @ C:\WINDOWS\SYSTEM32\d3d9.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1080] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] @ C:\WINDOWS\SYSTEM32\mfc110.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2072] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2100] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2180] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2180] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2180] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe[2276] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] @ C:\WINDOWS\SYSTEM32\d3d9.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2444] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\conhost.exe[2456] @ C:\WINDOWS\system32\conhost.exe[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[2456] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[2456] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[2456] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[2456] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\Comctl32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\twinui.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\authui.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\WSShared.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\Windows\System32\ieframe.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\syncui.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\UIRibbon.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\Explorer.EXE[2236] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\svchost.exe[2544] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2544] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2544] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2624] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2624] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\svchost.exe[2624] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Windows\System32\WUDFHost.exe[2636] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Windows\System32\WUDFHost.exe[2636] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Windows\System32\WUDFHost.exe[2636] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\SYSTEM32\d3d9.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3432] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\system32\conhost.exe[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3440] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\comctl32.DLL[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\taskhostex.exe[3456] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3464] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3464] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3464] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3804] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxtray.exe[4080] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxtray.exe[4080] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxtray.exe[4080] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxtray.exe[4080] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxtray.exe[4080] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxtray.exe[4080] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxtray.exe[4080] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\OPENGL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\DDRAW.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\igfxsrvc.exe[1664] @ C:\WINDOWS\system32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\hkcmd.exe[3164] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\hkcmd.exe[3164] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\hkcmd.exe[3164] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\hkcmd.exe[3164] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\hkcmd.exe[3164] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\hkcmd.exe[3164] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\hkcmd.exe[3164] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxpers.exe[3272] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxpers.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxpers.exe[3272] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxpers.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxpers.exe[3272] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxpers.exe[3272] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\igfxpers.exe[3272] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\SYSTEM32\MFC42u.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\IDT\WDM\sttray64.exe[1728] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[3544] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\Comctl32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\Program Files (x86)\Lenovo\Energy Manager\mfc110u.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[3656] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\Program Files (x86)\Lenovo\Energy Manager\mfc110u.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[3660] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\wbem\unsecapp.exe[3616] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\unsecapp.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\unsecapp.exe[3616] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\comctl32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\rundll32.exe[2228] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] @ C:\WINDOWS\SYSTEM32\mfc110.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4152] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3056] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3240] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3732] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\mfc110.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\UxTheme.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\WLANExt.exe[760] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18470_none_9331b0df474a1995\gdiplus.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\WINDOWS\system32\conhost.exe[3388] @ C:\WINDOWS\system32\conhost.exe[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3388] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3388] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3388] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\WINDOWS\system32\conhost.exe[3388] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff848830000] IAT C:\Windows\System32\WUDFHost.exe[4004] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Windows\System32\WUDFHost.exe[4004] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ff8486d0000] IAT C:\Windows\System32\WUDFHost.exe[4004] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ff8486d0000] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [636:676] fffff960008922d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xF8 0x62 0x79 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x57 0xC5 0x7B 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x5B 0x0F 0x21 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x15 0xD8 0x3B 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 126 Reg HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime 0x9E 0x23 0x65 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SEC42560_00_07DB_27^4DF1FF8F9F20910084EE1852AFAC459E@Timestamp 0xCC 0xE5 0x1D 0x86 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 744 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -355791287 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3373 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 286161084 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 286156637 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 286156639 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 286160841 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 4179 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x8A 0x20 0xFA 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 97486416-5f79-49dc-85ca-19d0243 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{48756faf-3616-4612-8ff7-fb33b296f840} Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\f81654a1c0ab Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox@Num 9 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\0@UID {57A3A56A-365D-43FD-9ED8-9EDBEF50FE42} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\0@Filename C:\Users\pc\Downloads\ComboFix.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\0@DeviceName C:\Users\pc\Downloads\ComboFix.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\1@UID {48F44659-4BBB-4949-BF3A-BFAA21F171EB} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\1@Filename C:\Users\pc\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_pl.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\1@DeviceName C:\Users\pc\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_pl.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\2@UID {FB549D04-29FA-46CB-9661-3F32C329C067} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\2@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\2@DeviceName Wszystkie aplikacje Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\2@Action 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\2@Reputation 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\2@QuarantineWhenBlock 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\2@SBFlags 80 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\3@UID {907EF604-1245-4D38-BCDA-40239DE61C8C} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\3@DeviceName Podejrzane lokalizacje Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\3@Reputation 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\3@QuarantineWhenBlock 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\4@UID {F0D9D6E9-316E-4F4D-AFDE-9ED572955F7C} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\4@DeviceName Foldery piaskownicy Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\5@UID {35C8B992-4090-4969-921A-5DAB930A40EB} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\5@DeviceName Aplikacje Modern UI Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\5@Action 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6@UID {108B3D9D-D9C0-48D4-91C6-E65633390FEB} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6@DeviceName Wszystkie aplikacje Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6@Reputation 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0@UID {B0F5F6C4-EEE2-48B5-964C-7F8A68724F79} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0@Zone 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0\Creator@UID {9D752C4A-0756-4916-AE41-CB27D91D6B55} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0\Creator@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0\Creator@Filename * Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\0\Creator@DeviceName * Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1@UID {9FC8893A-76CC-4ACA-9907-A1C93058117F} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1@Location 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1\Creator@UID {C05CB1F7-C6EB-484D-8A35-B5C378F164B4} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1\Creator@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1\Creator@Filename * Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\1\Creator@DeviceName * Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2@UID {14B5D327-3C7B-474D-AF1B-DC71FE58AC51} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2@Location 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2\Creator@UID {D0150C32-4143-4F7F-8B8B-8CBC8C1EE872} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2\Creator@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2\Creator@Filename * Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\6\Sources\2\Creator@DeviceName * Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7@UID {1677F228-133A-428F-B47D-5467622A7069} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources@Num 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\0@UID {ED078353-C498-41D3-8C50-D47F64049611} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\0@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\0\Creator@UID {1019A8EE-EE52-4736-BF0C-4C449F7FF254} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\0\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\0\Creator@DeviceName Przegl?darki internetowe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\1@UID {D8D6ADB0-2693-42D3-A119-6318F65CFB79} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\1@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\1\Creator@UID {2A50F703-44CA-4838-8BC8-4C77EF0804F4} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\1\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\1\Creator@DeviceName Klienci poczty e-mail Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\2@UID {5011718F-2ADF-4BEA-971B-B1B29EB6680F} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\2@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\2\Creator@UID {801456B7-6335-4827-A0FD-54E280130CC8} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\2\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\2\Creator@DeviceName Mened?ery pobierania plik?w Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3@UID {562DB8E1-730B-4254-913E-27D452D861E1} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3\Creator@UID {9FBFE822-701C-4884-A504-D212B4F4F51A} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\3\Creator@DeviceName Pseudomened?ery pobierania plik?w Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4@UID {EA1B6105-F4C1-4DEB-B049-69A0AE81C45D} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4\Creator@UID {A85293E2-F3E7-4740-8772-154516936733} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\4\Creator@DeviceName Archiwizery plik?w Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5@UID {B4BF0099-6227-4359-89D6-DC2C378F13CC} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5\Creator@UID {1BC5CB7E-254A-4EC7-87A9-3ED45C34F6B1} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\5\Creator@DeviceName Management and Productivity Applications Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6@UID {3D89B28A-3C94-4B64-8825-3A086D36C595} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6\Creator@UID {DE25543A-D26C-4972-8793-1F84F330DEE9} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\6\Creator@DeviceName Media Players Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7@UID {B4BF0099-6227-4359-89D6-DC2C378F13CC} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7@Location 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7@Zone 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7\Creator Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7\Creator@UID {1BC5CB7E-254A-4EC7-87A9-3ED45C34F6B1} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7\Creator@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\7\Sources\7\Creator@DeviceName Aplikacje zarz?dzania i produkcji Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\8@UID {1CB194B3-0237-43FC-AF22-D47149C79FEB} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\8@DeviceName Wsp??dzielone przestrzenie Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox\8\Sources@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Tag 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ImagePath \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@DisplayName mbamchameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Protected F:\mbar\ Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@RefCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ProtectedPaths \Device\HarddiskVolume5\WINDOWS\System32\DRIVERS\mbamchameleon.sys?\Device\HarddiskVolume9\mbar\?\Device\HarddiskVolume9\mbar\?\Device\HarddiskVolume5\ProgramData\Malwarebytes' Anti-Malware (portable)\? Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ProtectedRegistry \REGISTRY\MACHINE\SYSTEM\CONTROLSET*\SERVICES\MBAMCHAMELEON\*?\Registry\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\mbamchameleon\? Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Verified 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances@DefaultInstance mbamchameleon Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances\mbamchameleon Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances\mbamchameleon Instance@Altitude 400900 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances\mbamchameleon Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Cz?, ?pa? ?27 ?16, 01:24:31??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 19395 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 11388 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 137 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 750 Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CAMService.exe_51a8b23c48fff1a7413eb37c9e11956f55b65_316889bd_cab_0d348339 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x64 0x02 0x01 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----