GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-08 16:49:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 SAMSUNG_MZMTD128HAFV-000 rev.DXT41K0Q 119,24GB Running: wplfv3qx.exe; Driver: C:\Users\WIOLAW~1\AppData\Local\Temp\uxldqpod.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\csrss.exe[588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbefe31720 8 bytes JMP 00007ffbeff500d8 .text C:\WINDOWS\system32\csrss.exe[588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbefe31920 8 bytes JMP 00007ffbeff50110 .text C:\WINDOWS\system32\csrss.exe[588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 8 bytes JMP 00007ffbeff50148 .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffbed90f980 6 bytes {JMP QWORD [RIP+0x1706b0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffbed9402a4 6 bytes {JMP QWORD [RIP+0x10fd8c]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x8eee80]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x8cee30]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x84ee20]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x82ee10]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x90eb90]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x92eb40]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x96e400]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x8ae3e0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x6cd720]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x68cb60]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x74bf10]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x9ab1c0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x70ae00]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x869960]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6696c0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x78742c]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x64611c]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5e57d0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5a38a0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 62] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7c1cf0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x9c1b50]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8813dc]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5fde1c]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6dd620]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x97c600]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x699f08]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7e0ab0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x91c950]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6f9e80]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x779b50]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5563d0]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9a52c4]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5726b8]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7639f8]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6e30ac]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\lsass.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x8eee80]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x8cee30]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x84ee20]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x82ee10]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x90eb90]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x92eb40]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x96e400]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x8ae3e0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x6cd720]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x68cb60]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x74bf10]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x9ab1c0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x70ae00]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x869960]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6696c0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x78742c]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x64611c]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5e57d0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5a38a0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 62] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7c1cf0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x9c1b50]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8813dc]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5fde1c]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6dd620]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x97c600]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x699f08]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7e0ab0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x91c950]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6f9e80]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x779b50]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5563d0]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9a52c4]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5726b8]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7639f8]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6e30ac]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\svchost.exe[388] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffbed90f980 6 bytes {JMP QWORD [RIP+0x1706b0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffbed9402a4 6 bytes {JMP QWORD [RIP+0x10fd8c]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x8eee80]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x8cee30]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x84ee20]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x82ee10]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x90eb90]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x92eb40]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x96e400]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x8ae3e0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x6cd720]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x68cb60]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x74bf10]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x9ab1c0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x70ae00]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x869960]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6696c0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x78742c]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x64611c]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5e57d0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5a38a0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 62] .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7c1cf0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x9c1b50]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8813dc]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5fde1c]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6dd620]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x97c600]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x699f08]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7e0ab0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x91c950]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6f9e80]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x779b50]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5563d0]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9a52c4]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5726b8]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7639f8]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6e30ac]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x8aee80]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x88ee30]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x80ee20]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x8ceb90]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x8eeb40]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x92e400]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x86e3e0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x68d720]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x64cb60]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x70bf10]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x96b1c0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x6cae00]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x829960]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6296c0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x74742c]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x60611c]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5a57d0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5638a0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 5E] .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x781cf0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x981b50]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8413dc]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5bde1c]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x69d620]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x93c600]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x659f08]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7a0ab0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x8dc950]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6b9e80]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x739b50]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5163d0]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9652c4]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5326b8]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7239f8]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6a30ac]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\System32\svchost.exe[1144] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffbed90f980 6 bytes {JMP QWORD [RIP+0x1706b0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffbed9402a4 6 bytes {JMP QWORD [RIP+0x10fd8c]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x8eee80]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x8cee30]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x84ee20]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x82ee10]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x90eb90]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x92eb40]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x96e400]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x8ae3e0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x6cd720]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x68cb60]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x74bf10]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x9ab1c0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x70ae00]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x869960]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6696c0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x78742c]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x64611c]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5e57d0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5a38a0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 62] .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7c1cf0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x9c1b50]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8813dc]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5fde1c]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6dd620]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x97c600]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x699f08]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7e0ab0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x91c950]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6f9e80]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x779b50]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5563d0]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9a52c4]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5726b8]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7639f8]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6e30ac]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\dashost.exe[1872] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\dashost.exe[1872] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\Program Files\Samsung\Samsung Link\Samsung Link.exe[2016] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\Program Files\Samsung\Samsung Link\Samsung Link.exe[2016] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes JMP 61006e .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x8aee80]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x88ee30]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x80ee20]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x8ceb90]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x8eeb40]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x92e400]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x86e3e0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x68d720]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x64cb60]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x70bf10]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x96b1c0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x6cae00]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x829960]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6296c0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x74742c]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x60611c]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5a57d0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5638a0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 5E] .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x781cf0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x981b50]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8413dc]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5bde1c]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x69d620]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x93c600]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x659f08]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7a0ab0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x8dc950]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6b9e80]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x739b50]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5163d0]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9652c4]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5326b8]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7239f8]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6a30ac]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\svchost.exe[2216] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x91ee80]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x8fee30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x87ee20]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x85ee10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x93eb90]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x95eb40]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x99e400]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x8de3e0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x69d720]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x65cb60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x71bf10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x9db1c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x6dae00]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x899960]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6396c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x75742c]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x61611c]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5b57d0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5738a0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 5F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7f1cf0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x9f1b50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8b13dc]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5cde1c]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6ad620]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x9ac600]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x669f08]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x810ab0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x94c950]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6c9e80]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x749b50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5263d0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9d52c4]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5426b8]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7939f8]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6b30ac]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes {JMP QWORD [RIP+0x35c480]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes {JMP QWORD [RIP+0x29d144]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes {JMP QWORD [RIP+0x2dcf60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes {JMP QWORD [RIP+0x3a18b4]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes {JMP QWORD [RIP+0x2f1750]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes {JMP QWORD [RIP+0x359a98]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes {JMP QWORD [RIP+0x32cb1c]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\svchost.exe[3676] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 26] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 34] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 30] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 36] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2E] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1E] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 20] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 32] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3E] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 1C] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 28] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 38] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 3C] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 2A] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 3A] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x2cd150]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x22d0b0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x24d020]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0x3983ec]} .text C:\WINDOWS\system32\SearchIndexer.exe[3772] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x362248]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x8aee80]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x88ee30]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x80ee20]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x8ceb90]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x8eeb40]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x92e400]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x86e3e0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x68d720]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x64cb60]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x70bf10]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x96b1c0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x6cae00]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x829960]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6296c0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x74742c]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x60611c]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5a57d0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5638a0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 5E] .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x781cf0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x981b50]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x8413dc]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5bde1c]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x69d620]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x93c600]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x659f08]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7a0ab0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x8dc950]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6b9e80]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x739b50]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5163d0]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x9652c4]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5326b8]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7239f8]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6a30ac]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\System32\svchost.exe[4372] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\csrss.exe[4056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbefe31720 8 bytes JMP 00007ffbeff500d8 .text C:\WINDOWS\system32\csrss.exe[4056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbefe31920 8 bytes JMP 00007ffbeff50110 .text C:\WINDOWS\system32\csrss.exe[4056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 8 bytes JMP 00007ffbeff50148 .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0xa2ee80]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0xa0ee30]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x84ee20]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x82ee10]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0xa4eb90]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0xa6eb40]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0xaae400]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x9ee3e0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x6cd720]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x68cb60]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x74bf10]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0xaeb1c0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x70ae00]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x9a9960]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6696c0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x78742c]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x64611c]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5e57d0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5a38a0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 62] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7c1cf0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0xb01b50]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x9c13dc]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5fde1c]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6dd620]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0xabc600]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x699f08]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7e0ab0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0xa5c950]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6f9e80]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x779b50]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5563d0]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0xae52c4]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5726b8]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7639f8]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6e30ac]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes {JMP QWORD [RIP+0x38c480]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes {JMP QWORD [RIP+0x2ed144]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes {JMP QWORD [RIP+0x30cf60]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes {JMP QWORD [RIP+0x3d18b4]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes {JMP QWORD [RIP+0x321750]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes {JMP QWORD [RIP+0x389a98]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes {JMP QWORD [RIP+0x35cb1c]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\System32\dwm.exe[5220] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 74] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 78] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0xd6ee80]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0xd4ee30]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0xccee20]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0xcaee10]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0xd8eb90]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0xdaeb40]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0xdee400]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0xd2e3e0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x71d720]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x6dcb60]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x79bf10]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0xe2b1c0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x75ae00]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0xce9960]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6b96c0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x7d742c]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x69611c]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x6357d0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5f38a0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 67] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0xc41cf0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0xe41b50]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0xd013dc]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x64de1c]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x72d620]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0xdfc600]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x6e9f08]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0xc60ab0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0xd9c950]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x749e80]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x829b50]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5a63d0]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0xe252c4]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5c26b8]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0xbe39f8]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x7330ac]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes {JMP QWORD [RIP+0x3dc480]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes {JMP QWORD [RIP+0x33d144]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes {JMP QWORD [RIP+0x35cf60]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes {JMP QWORD [RIP+0x4218b4]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes {JMP QWORD [RIP+0x371750]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes {JMP QWORD [RIP+0x3d9a98]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes {JMP QWORD [RIP+0x3acb1c]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1760] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 26] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes JMP 340002 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes JMP eaf50000 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1E] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes JMP 4b2 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3E] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes JMP 1 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 28] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes JMP c4316050 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 2A] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes JMP e .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x2cd150]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes JMP 410013 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes JMP 470041 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes JMP 32 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0xa8ee80]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0xa6ee30]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x9eee20]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x9cee10]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0xaaeb90]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0xaceb40]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0xb0e400]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0xa4e3e0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes JMP 10001 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x6ecb60]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x7abf10]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0xb4b1c0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0xa09960]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6c96c0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x7e742c]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x6a611c]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x6457d0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x6038a0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 68] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x821cf0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0xb61b50]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0xa213dc]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x65de1c]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes JMP 4102d5e0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0xb1c600]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x6f9f08]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x980ab0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0xabc950]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes JMP c00000 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x7d9b50]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5b63d0]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5d26b8]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7c39f8]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes JMP 201 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes JMP 2 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes {JMP QWORD [RIP+0x4318b4]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes JMP ffffffff .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes {JMP QWORD [RIP+0x3e9a98]} .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\Explorer.EXE[2840] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 31] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 3F] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 3B] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 41] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 39] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 29] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 2B] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 3D] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 49] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 27] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 33] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 43] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 47] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 35] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 45] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x37d150]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x2dd0b0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x2fd020]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 74] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 88] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0xb7ee80]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0xb5ee30]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0xadee20]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0xabee10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x255eb90]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x257eb40]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x29de400]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0xb3e3e0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 4 bytes [FF, 25, 20, D7] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW + 5 00007ffbed622915 1 byte [00] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x7dcb60]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x9dbf10]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x2a1b1c0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x85ae00]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes JMP 0 .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x7b96c0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0xa1742c]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x79611c]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x7357d0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x6f38a0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 77] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0xa51cf0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x2a31b50]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0xb113dc]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x74de1c]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x82d620]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x29ec600]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x7e9f08]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0xa70ab0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x28fc950]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x989e80]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0xa09b50]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x6a63d0]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x2a152c4]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x6c26b8]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x9f39f8]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x9730ac]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0x3983ec]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x362248]} .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 22] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 30] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 2C] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 32] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2A] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1A] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 1C] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 2E] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3A] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 18] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 24] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 34] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 38] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 26] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 36] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x28d150]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x1ed0b0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x20d020]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0xa2ee80]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0xa0ee30]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x84ee20]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x82ee10]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0xa4eb90]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0xa6eb40]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0xaae400]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x9ee3e0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x6cd720]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x68cb60]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x74bf10]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0xaeb1c0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x70ae00]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x9a9960]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6696c0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x78742c]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x64611c]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5e57d0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5a38a0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 62] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7c1cf0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0xb01b50]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x9c13dc]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5fde1c]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6dd620]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0xabc600]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x699f08]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7e0ab0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0xa5c950]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6f9e80]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x779b50]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5563d0]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0xae52c4]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5726b8]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7639f8]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6e30ac]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0xc83ec]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x92248]} .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\DllHost.exe[5176] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 26] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 34] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 30] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 36] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 2E] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 1E] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 20] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 32] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 3E] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 1C] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 28] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 38] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 3C] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 2A] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 3A] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x2cd150]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x22d0b0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x24d020]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0xa2ee80]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0xa0ee30]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x84ee20]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x82ee10]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0xa4eb90]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0xa6eb40]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0xaae400]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x9ee3e0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x6cd720]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x68cb60]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x74bf10]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0xaeb1c0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x70ae00]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x9a9960]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6696c0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x78742c]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x64611c]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x5e57d0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x5a38a0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 62] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x7c1cf0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0xb01b50]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x9c13dc]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x5fde1c]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x6dd620]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0xabc600]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x699f08]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0x7e0ab0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0xa5c950]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x6f9e80]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x779b50]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5563d0]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0xae52c4]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5726b8]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x7639f8]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x6e30ac]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0x3983ec]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x362248]} .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\WINDOWS\system32\taskhostex.exe[5740] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 4A] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 58] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 54] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 5A] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 52] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 42] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 44] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 56] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 62] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 40] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 4C] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 5C] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 60] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 4E] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 5E] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x50d150]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x46d0b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x48d020]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x2aeee80]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x2acee30]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x2a2ee10]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x2b0eb90]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x2b2eb40]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x2b6e400]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x2aae3e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x7cd720]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x78cb60]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x84bf10]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x2bab1c0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x80ae00]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes JMP f7ed38 .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x7696c0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x256742c]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x74611c]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x6e57d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x6a38a0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 72] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x29c1cf0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x2bc1b50]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x2a813dc]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x6fde1c]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x7dd620]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x2b7c600]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x799f08]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x2b1c950]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x7f9e80]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x2559b50]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x6563d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x2ba52c4]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x6726b8]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x29639f8]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x24630ac]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes {JMP QWORD [RIP+0x48c480]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes {JMP QWORD [RIP+0x38d144]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes {JMP QWORD [RIP+0x40cf60]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes {JMP QWORD [RIP+0x4d18b4]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes {JMP QWORD [RIP+0x421750]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes {JMP QWORD [RIP+0x489a98]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes {JMP QWORD [RIP+0x45cb1c]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0x3983ec]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x362248]} .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrl.exe[7268] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes JMP 2845 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 3A] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 4 bytes [FF, 25, 50, E6] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 3C] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 34] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes JMP d3c70490 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 38] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 44] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 2E] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 3E] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 42] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 30] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 40] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x32d150]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x28d0b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x2ad020]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes JMP 77002d .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0xb2ee80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0xb0ee30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0xa8ee20]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0xa6ee10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0xb4eb90]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0xb6eb40]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x256e400]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0xaee3e0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x7cd720]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x78cb60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x84bf10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x29cb1c0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x80ae00]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0xaa9960]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x7696c0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x9c742c]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x74611c]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x6a38a0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 72] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0xa01cf0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x29e1b50]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0xac13dc]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x6fde1c]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x7dd620]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x257c600]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x799f08]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes {JMP QWORD [RIP+0xa20ab0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x24bc950]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x7f9e80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x9b9b50]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x6563d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x29c52c4]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x6726b8]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x9a39f8]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x9230ac]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes {JMP QWORD [RIP+0x38d144]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes {JMP QWORD [RIP+0x40cf60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes {JMP QWORD [RIP+0x4d18b4]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes {JMP QWORD [RIP+0x421750]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes JMP 90000c00 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0x3983ec]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x362248]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes {JMP QWORD [RIP+0x38c480]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes {JMP QWORD [RIP+0x2ed144]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes {JMP QWORD [RIP+0x30cf60]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes {JMP QWORD [RIP+0x3d18b4]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes {JMP QWORD [RIP+0x321750]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes {JMP QWORD [RIP+0x389a98]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes {JMP QWORD [RIP+0x35cb1c]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes JMP 530057 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 57] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 3F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 41] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 5F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes JMP 1000c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes JMP 486890 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 59] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 5D] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 5B] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x43d0b0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x45d020]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x2abee80]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x2a9ee30]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x2a1ee20]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x29fee10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x2adeb90]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes {JMP QWORD [RIP+0x2afeb40]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x2b3e400]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x2a7e3e0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x6fcb60]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x81bf10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x2b7b1c0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x77ae00]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x2a39960]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6d96c0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x85742c]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x6b611c]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x6557d0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x6138a0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 69] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x2571cf0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x2b91b50]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x2a513dc]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x66de1c]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes JMP 40edaa00 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x2b4c600]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x709f08]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes {JMP QWORD [RIP+0x2aec950]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x7c9e80]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x2529b50]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5c63d0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x2b752c4]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5e26b8]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x28a39f8]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x7b30ac]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0x3983ec]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x362248]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbed7a3bb0 6 bytes {JMP QWORD [RIP+0x39c480]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbed7b2eec 6 bytes {JMP QWORD [RIP+0x2fd144]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbed7b30d0 6 bytes {JMP QWORD [RIP+0x31cf60]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbed7be77c 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbed7be8e0 6 bytes {JMP QWORD [RIP+0x331750]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbed7c6598 6 bytes JMP 3a87 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbed813514 6 bytes JMP 6a5 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffbe5f51f6a 4 bytes [F5, E5, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffbe5f51f82 4 bytes [F5, E5, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffbefdc1838 6 bytes {JMP QWORD [RIP+0x1de7f8]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ffbefe31760 5 bytes [FF, 25, D0, E8, 14] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbefe31930 5 bytes [FF, 25, 00, E7, 47] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ffbefe319a0 5 bytes [FF, 25, 90, E6, 55] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbefe319e0 5 bytes [FF, 25, 50, E6, 51] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffbefe31a80 5 bytes [FF, 25, B0, E5, 57] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbefe31b10 5 bytes [FF, 25, 20, E5, 4F] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbefe31b50 5 bytes [FF, 25, E0, E4, 3F] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbefe31ba0 5 bytes [FF, 25, 90, E4, 41] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ffbefe31bc0 5 bytes [FF, 25, 70, E4, 53] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffbefe31dd0 5 bytes [FF, 25, 60, E2, 5F] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbefe31ef0 5 bytes [FF, 25, 40, E1, 3D] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ffbefe31ff0 5 bytes [FF, 25, 40, E0, 49] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffbefe32170 5 bytes [FF, 25, C0, DE, 59] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbefe32180 5 bytes [FF, 25, B0, DE, 5D] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbefe32590 5 bytes [FF, 25, A0, DA, 4B] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffbefe32620 5 bytes [FF, 25, 10, DA, 5B] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbefe32ee0 6 bytes {JMP QWORD [RIP+0x4dd150]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbefe32f80 6 bytes {JMP QWORD [RIP+0x43d0b0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbefe33010 6 bytes {JMP QWORD [RIP+0x45d020]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffbef9d767c 6 bytes {JMP QWORD [RIP+0x1589b4]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessA 00007ffbef9d8aa0 6 bytes {JMP QWORD [RIP+0x177590]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffbef9d8bb0 6 bytes {JMP QWORD [RIP+0x197480]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbed335676 3 bytes [94, A9, 10] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbed34f8b0 5 bytes [FF, 25, 80, 07, 14] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbed6211b0 6 bytes {JMP QWORD [RIP+0x2abee80]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbed621200 6 bytes {JMP QWORD [RIP+0x2a9ee30]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbed621210 6 bytes {JMP QWORD [RIP+0x2a1ee20]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbed621220 6 bytes {JMP QWORD [RIP+0x29fee10]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbed6214a0 6 bytes {JMP QWORD [RIP+0x2adeb90]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbed6214f0 6 bytes JMP feeefeee .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbed621c30 6 bytes {JMP QWORD [RIP+0x2b3e400]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbed621c50 6 bytes {JMP QWORD [RIP+0x2a7e3e0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbed622910 6 bytes {JMP QWORD [RIP+0x73d720]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbed6234d0 6 bytes {JMP QWORD [RIP+0x6fcb60]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbed624121 5 bytes {JMP QWORD [RIP+0x81bf10]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbed624e70 6 bytes {JMP QWORD [RIP+0x2b7b1c0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbed625230 6 bytes {JMP QWORD [RIP+0x77ae00]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbed6266d1 5 bytes {JMP QWORD [RIP+0x2a39960]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbed626970 6 bytes {JMP QWORD [RIP+0x6d96c0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbed628c04 6 bytes {JMP QWORD [RIP+0x85742c]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbed629f14 6 bytes {JMP QWORD [RIP+0x6b611c]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbed62a860 6 bytes {JMP QWORD [RIP+0x6557d0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbed62c790 6 bytes {JMP QWORD [RIP+0x6138a0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbed62d938 5 bytes [FF, 25, F8, 26, 69] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbed62e340 6 bytes {JMP QWORD [RIP+0x2571cf0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbed62e4e0 6 bytes {JMP QWORD [RIP+0x2b91b50]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbed62ec54 6 bytes {JMP QWORD [RIP+0x2a513dc]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbed632215 5 bytes {JMP QWORD [RIP+0x66de1c]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbed632a10 6 bytes {JMP QWORD [RIP+0x74d620]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbed633a30 6 bytes {JMP QWORD [RIP+0x2b4c600]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbed636128 6 bytes {JMP QWORD [RIP+0x709f08]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbed64f580 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbed6536e0 6 bytes JMP 1030000 .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbed6561b0 6 bytes {JMP QWORD [RIP+0x7c9e80]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbed6564e0 6 bytes {JMP QWORD [RIP+0x2529b50]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbed659c60 6 bytes {JMP QWORD [RIP+0x5c63d0]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbed66ad6c 6 bytes {JMP QWORD [RIP+0x2b752c4]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbed67d978 6 bytes {JMP QWORD [RIP+0x5e26b8]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbed6ac638 6 bytes {JMP QWORD [RIP+0x28a39f8]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbed6acf84 6 bytes {JMP QWORD [RIP+0x7b30ac]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffbefc27c44 6 bytes {JMP QWORD [RIP+0x3983ec]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\ADVAPI32.dll!CreateProcessWithLogonW 00007ffbefc7dde8 6 bytes {JMP QWORD [RIP+0x362248]} .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbeda7169a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbeda716a2 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbeda7181a 4 bytes [A7, ED, FB, 7F] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbeda71832 4 bytes [A7, ED, FB, 7F] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[824] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[912] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\atiesrxx.exe[724] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[1036] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[1036] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[1036] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[1036] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[1080] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\System32\svchost.exe[1144] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\System32\spoolsv.exe[1512] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\dashost.exe[1872] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\dashost.exe[1872] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\dashost.exe[1872] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\dashost.exe[1872] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\Program Files\Samsung\Samsung Link\Samsung Link.exe[2016] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[2216] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2620] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\svchost.exe[3676] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3772] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3772] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3772] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3772] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3772] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\DllHost.exe[2832] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[6408] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[6408] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[7664] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda30000] IAT C:\WINDOWS\System32\dwm.exe[5220] @ C:\WINDOWS\System32\dwm.exe[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\System32\dwm.exe[5220] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\System32\dwm.exe[5220] @ C:\WINDOWS\System32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\System32\dwm.exe[5220] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\System32\dwm.exe[5220] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\System32\dwm.exe[5220] @ C:\WINDOWS\System32\uDWM.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\System32\dwm.exe[5220] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\atieclxx.exe[1760] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\WINDOWS\system32\atieclxx.exe[1760] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\WINDOWS\system32\atieclxx.exe[1760] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\WINDOWS\system32\atieclxx.exe[1760] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\WINDOWS\system32\atieclxx.exe[1760] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\WINDOWS\system32\atieclxx.exe[1760] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\WINDOWS\system32\atieclxx.exe[1760] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\Comctl32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\twinui.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\SYSTEM32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17227_none_932c0e57474f5080\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\authui.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\PROGRA~1\MICROS~2\Office15\GROOVEEX.DLL[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\WSShared.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\Windows\System32\ieframe.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\fontext.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\DeviceCenter.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\system32\wpdshext.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\Explorer.EXE[2840] @ C:\WINDOWS\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Classic Shell\ClassicStartMenu.exe[7632] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\WINDOWS\system32\DllHost.exe[5176] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\DllHost.exe[5176] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\DllHost.exe[5176] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\DllHost.exe[5176] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\DllHost.exe[5176] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\WINDOWS\system32\taskhostex.exe[5740] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17227_none_932c0e57474f5080\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrl.exe[7268] @ C:\WINDOWS\SYSTEM32\riched20.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.16384_none_34a8918f959016ea\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17227_none_932c0e57474f5080\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Elantech\ETDCtrlHelper.exe[4496] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4328] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4328] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7628] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda80000] IAT C:\Program Files\Samsung\S Agent\CommonAgent.exe[6176] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Samsung\S Agent\CommonAgent.exe[6176] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Samsung\S Agent\CommonAgent.exe[6176] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files\Samsung\S Agent\CommonAgent.exe[6176] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbedb30000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\comctl32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\SYSTEM32\mfc100u.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17227_none_932c0e57474f5080\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5860] @ C:\WINDOWS\SYSTEM32\mfc100.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\comctl32.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbeda90000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[1220] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbeda90000] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\lsass.exe [836:852] 00007ffbecd82020 Thread C:\WINDOWS\system32\svchost.exe [940:5092] 00007ffbec1f1cc0 Thread C:\WINDOWS\system32\svchost.exe [940:4076] 00007ffbec1f1cc0 Thread C:\WINDOWS\system32\svchost.exe [388:1364] 00007ffbe7fb4a3c Thread C:\WINDOWS\system32\svchost.exe [388:1368] 00007ffbe7fc1858 Thread C:\WINDOWS\system32\svchost.exe [388:1372] 00007ffbe7fbe1b8 Thread C:\WINDOWS\system32\svchost.exe [388:1376] 00007ffbe7fc079c Thread C:\WINDOWS\system32\svchost.exe [388:1672] 00007ffbe67dc774 Thread C:\WINDOWS\system32\svchost.exe [388:1908] 00007ffbe557dff0 Thread C:\WINDOWS\system32\svchost.exe [388:1528] 00007ffbde024b30 Thread C:\WINDOWS\system32\svchost.exe [388:2332] 00007ffbe5325340 Thread C:\WINDOWS\system32\svchost.exe [388:4412] 00007ffbe7fb88f0 Thread C:\WINDOWS\system32\svchost.exe [388:5752] 00007ffbeb9f14f0 Thread C:\WINDOWS\System32\svchost.exe [984:1028] 00007ffbe90874f8 Thread C:\WINDOWS\System32\svchost.exe [984:1044] 00007ffbe906b7c4 Thread C:\WINDOWS\System32\svchost.exe [984:1048] 00007ffbe906b7c4 Thread C:\WINDOWS\System32\svchost.exe [984:1052] 00007ffbe906b7c4 Thread C:\WINDOWS\System32\svchost.exe [984:1056] 00007ffbe906b7c4 Thread C:\WINDOWS\System32\svchost.exe [984:1252] 00007ffbe86d1420 Thread C:\WINDOWS\System32\svchost.exe [984:1344] 00007ffbe818e840 Thread C:\WINDOWS\System32\svchost.exe [984:1356] 00007ffbe79fe160 Thread C:\WINDOWS\System32\svchost.exe [984:1400] 00007ffbe725ed18 Thread C:\WINDOWS\System32\svchost.exe [984:1404] 00007ffbe7e24960 Thread C:\WINDOWS\System32\svchost.exe [984:3704] 00007ffbd9406dd0 Thread C:\WINDOWS\System32\svchost.exe [984:3752] 00007ffbd9404f30 Thread C:\WINDOWS\System32\svchost.exe [984:2764] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [984:7536] 000000d8ebf91b54 Thread C:\WINDOWS\System32\svchost.exe [984:5776] 00007ffbe8201ed0 Thread C:\WINDOWS\System32\svchost.exe [984:2792] 00007ffbddda12f8 Thread C:\WINDOWS\System32\svchost.exe [984:2604] 00007ffbef810310 Thread C:\WINDOWS\system32\svchost.exe [1036:3852] 00007ffbe8a810e0 Thread C:\WINDOWS\system32\svchost.exe [1080:1204] 00007ffbe8833fd8 Thread C:\WINDOWS\system32\svchost.exe [1080:1208] 00007ffbe8845920 Thread C:\WINDOWS\system32\svchost.exe [1080:1312] 00007ffbe8b3e2ac Thread C:\WINDOWS\system32\svchost.exe [1080:2552] 00007ffbe8b40090 Thread C:\WINDOWS\system32\svchost.exe [1080:3864] 00007ffbd5b50b50 Thread C:\WINDOWS\system32\svchost.exe [1080:3892] 00007ffbd59616b8 Thread C:\WINDOWS\system32\svchost.exe [1080:3896] 00007ffbd5b4c574 Thread C:\WINDOWS\system32\svchost.exe [1080:3900] 00007ffbd5b4f55c Thread C:\WINDOWS\system32\svchost.exe [1080:3904] 00007ffbd5b51674 Thread C:\WINDOWS\system32\svchost.exe [1080:3908] 00007ffbd5b47490 Thread C:\WINDOWS\system32\svchost.exe [1080:3912] 00007ffbe7374b04 Thread C:\WINDOWS\system32\svchost.exe [1080:2824] 00007ffbd58cab50 Thread C:\WINDOWS\system32\svchost.exe [1080:3352] 00007ffbd58caeb0 Thread C:\WINDOWS\system32\svchost.exe [1080:880] 00007ffbd4ec6c08 Thread C:\WINDOWS\system32\svchost.exe [1080:408] 00007ffbd4ec6800 Thread C:\WINDOWS\system32\svchost.exe [1080:5320] 00007ffbd5b4d5a0 Thread C:\WINDOWS\System32\svchost.exe [1144:1216] 00007ffbe8948c40 Thread C:\WINDOWS\System32\svchost.exe [1144:1392] 00007ffbe7236f04 Thread C:\WINDOWS\System32\svchost.exe [1144:1452] 00007ffbec353cbc Thread C:\WINDOWS\System32\svchost.exe [1144:1996] 00007ffbe22a2d90 Thread C:\WINDOWS\System32\svchost.exe [1144:3860] 00007ffbea511d2c Thread C:\WINDOWS\System32\svchost.exe [1144:3880] 00007ffbea5122f0 Thread C:\WINDOWS\System32\svchost.exe [1144:4268] 00007ffbe22836f8 Thread C:\WINDOWS\System32\svchost.exe [1144:4368] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [1144:5908] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [1144:5732] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [1144:5728] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [1144:5652] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [1144:5724] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [1144:5720] 00007ffbeb67a1f0 Thread C:\WINDOWS\System32\svchost.exe [1144:2432] 00007ffbc9922b8c Thread C:\WINDOWS\System32\svchost.exe [1144:5980] 00007ffbddf2ac44 Thread C:\WINDOWS\System32\svchost.exe [1144:7412] 00007ffbea5125f4 Thread C:\WINDOWS\System32\svchost.exe [1144:7860] 00007ffbea5125f4 Thread C:\WINDOWS\System32\svchost.exe [1144:6088] 00007ffbe22a149c Thread C:\WINDOWS\System32\svchost.exe [1144:5292] 0000000f51a61b54 Thread C:\WINDOWS\System32\spoolsv.exe [1512:2712] 00007ffbddda12f8 Thread C:\WINDOWS\System32\spoolsv.exe [1512:4580] 00007ffbddd83118 Thread C:\WINDOWS\System32\spoolsv.exe [1512:5232] 00007ffbc9655b3c Thread C:\WINDOWS\System32\spoolsv.exe [1512:6056] 00007ffbc9299838 Thread C:\WINDOWS\system32\svchost.exe [1580:1596] 00007ffbec353cbc Thread C:\WINDOWS\system32\svchost.exe [1580:1604] 00007ffbec353cbc Thread C:\WINDOWS\system32\svchost.exe [1580:1616] 00007ffbec353cbc Thread C:\WINDOWS\system32\svchost.exe [1580:1624] 00007ffbe68749b0 Thread C:\WINDOWS\system32\svchost.exe [1580:1632] 00007ffbe698b1b4 Thread C:\WINDOWS\system32\svchost.exe [1580:1676] 00007ffbe6883f20 Thread C:\WINDOWS\system32\svchost.exe [1580:1684] 00007ffbe6895830 Thread C:\WINDOWS\system32\svchost.exe [1580:1688] 00007ffbe6884208 Thread C:\WINDOWS\system32\svchost.exe [1580:1896] 00007ffbe5752b90 Thread C:\WINDOWS\system32\svchost.exe [1580:3996] 00007ffbe57567bc Thread C:\WINDOWS\system32\svchost.exe [1580:2924] 00007ffbd5072110 Thread C:\WINDOWS\system32\svchost.exe [1580:3084] 00007ffbd4f84608 Thread C:\WINDOWS\system32\svchost.exe [1580:3344] 00007ffbd4f51584 Thread C:\WINDOWS\system32\svchost.exe [1580:1100] 00007ffbd4ef1b40 Thread C:\WINDOWS\system32\svchost.exe [1580:3100] 00007ffbd4f81040 Thread C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [1888:1940] 00007ffbe48b2d70 Thread C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [1888:1944] 00007ffbe492e840 Thread C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [1888:1956] 00007ffbe6831d20 Thread C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [1888:2040] 00007ffbdef81d20 Thread C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [1888:1340] 00007ffbe492e840 Thread C:\WINDOWS\system32\svchost.exe [2216:2340] 00007ffbdde00000 Thread C:\WINDOWS\system32\svchost.exe [2216:2344] 00007ffbdde025d0 Thread C:\WINDOWS\system32\svchost.exe [2216:7116] 00007ffbddda12f8 Thread C:\WINDOWS\system32\svchost.exe [2216:8120] 00007ffbddd83118 Thread C:\WINDOWS\system32\svchost.exe [3676:3308] 00007ffbd561cef0 Thread C:\WINDOWS\system32\svchost.exe [3676:2392] 00007ffbd561cfbc Thread C:\WINDOWS\system32\svchost.exe [3676:5612] 00007ffbddda12f8 Thread C:\WINDOWS\system32\svchost.exe [3676:5616] 00007ffbdddb9260 Thread C:\WINDOWS\system32\svchost.exe [3676:5364] 00007ffbef810310 Thread C:\WINDOWS\system32\svchost.exe [3676:6160] 00007ffbc7588490 Thread C:\WINDOWS\system32\svchost.exe [3676:3432] 00007ffbc75ca12c Thread C:\WINDOWS\system32\svchost.exe [3676:2100] 00007ffbc75ca12c Thread C:\WINDOWS\System32\svchost.exe [4372:5960] 00007ffbc97d1154 Thread C:\WINDOWS\System32\svchost.exe [4372:1152] 00007ffbc97cc384 Thread C:\WINDOWS\System32\svchost.exe [4372:7584] 00007ffbde024b30 Thread C:\WINDOWS\system32\DllHost.exe [2832:4972] 00007ffbd96a6820 Thread C:\WINDOWS\system32\csrss.exe [4056:7264] fffff960008fab90 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe (*** suspicious ***) @ C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe [2320] (SW Update Agent/Samsung Electronics CO., LTD.)(2013-07-23 13:06:25) 0000000000890000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----