GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-27 15:42:44 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 ST500LT012-9WS142 rev.0001SDM1 465,76GB Running: gmer.exe; Driver: C:\Users\Grzegorz\AppData\Local\Temp\kgroqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\lsass.exe[768] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\lsass.exe[768] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\lsass.exe[768] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\lsass.exe[768] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\lsass.exe[768] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\lsass.exe[768] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\dwm.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\dwm.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\dwm.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\dwm.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\dwm.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\dwm.exe[1012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\svchost.exe[364] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\svchost.exe[364] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\svchost.exe[364] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\System32\svchost.exe[364] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\svchost.exe[364] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\svchost.exe[364] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffdc2384fc0 6 bytes {JMP QWORD [RIP+0x41b070]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffdc239fe20 6 bytes {JMP QWORD [RIP+0x3e0210]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x72ee60]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x70ee10]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x68ee00]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x66edf0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x74eb50]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x95eb00]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0xb2e3a0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x6ee380]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x29cc40]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0xb6ab50]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x1f9ca0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x256c60]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x6a02b0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0xb3c8f0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0xb7ba20]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x6bb4b0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x208f30]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x25a710]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0xb7bb10]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x619bb0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0xad1080]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x59f100]} .text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\system32\svchost.exe[492] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[492] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[492] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\svchost.exe[492] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[492] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[492] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x72ee60]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x70ee10]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x68ee00]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x66edf0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x74eb50]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x95eb00]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0xb2e3a0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x6ee380]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x29cc40]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0xb6ab50]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x1f9ca0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x256c60]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [60, 00] .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x6a02b0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0xb3c8f0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 22] .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0xb7ba20]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x6bb4b0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x208f30]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x25a710]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0xb7bb10]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x619bb0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0xad1080]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x59f100]} .text C:\WINDOWS\System32\svchost.exe[1000] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\System32\spoolsv.exe[1424] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\spoolsv.exe[1424] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\spoolsv.exe[1424] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\System32\spoolsv.exe[1424] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\spoolsv.exe[1424] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\spoolsv.exe[1424] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffdc2384fc0 6 bytes {JMP QWORD [RIP+0x41b070]} .text C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffdc239fe20 6 bytes {JMP QWORD [RIP+0x3e0210]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0xbeee60]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0xbcee10]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0xb4ee00]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0xb2edf0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0xc0eb50]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0xc2eb00]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0xc6e3a0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0xbae380]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x60cc40]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x64ca90]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x6cbd20]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0xcaab50]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x68a910]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x709d80]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x569ca0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x5c6c60]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x526130]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [74, 00] .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0xb602b0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0xc7c8f0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 59] .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0xcbba20]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0xb7b4b0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 3 bytes [25, 30, 8F] .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 5 00007ffdbfc07105 1 byte [00] .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x60aa80]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x5ca710]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x649ea0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0xcbbb10]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0xad9bb0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x6f3a10]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0xc11080]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x670a30]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x4ef0d0]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x486a10]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x8cf100]} .text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x65e740]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\viakaraokesrv.exe[1972] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\viakaraokesrv.exe[1972] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\viakaraokesrv.exe[1972] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\viakaraokesrv.exe[1972] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\viakaraokesrv.exe[1972] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\viakaraokesrv.exe[1972] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[2616] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[2616] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[2616] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\svchost.exe[2616] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[2616] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[2616] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x72ee60]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x70ee10]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x68ee00]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x66edf0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x74eb50]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x95eb00]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0xb2e3a0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x6ee380]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x29cc40]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0xb6ab50]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x1f9ca0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x256c60]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [60, 00] .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x6a02b0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0xb3c8f0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 22] .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0xb7ba20]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x6bb4b0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x208f30]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x25a710]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0xb7bb10]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x619bb0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0xad1080]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x59f100]} .text C:\WINDOWS\System32\svchost.exe[2704] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\WINDOWS\system32\dashost.exe[2796] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\dashost.exe[2796] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\dashost.exe[2796] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\WINDOWS\system32\dashost.exe[2796] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\dashost.exe[2796] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\dashost.exe[2796] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x21fee60]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x21dee10]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x75ee00]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x73edf0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x259eb50]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x25beb00]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0x25fe3a0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x21be380]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x59cc40]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x5dca90]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x65bd20]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0x263ab50]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x61a910]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x699d80]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x4f9ca0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x556c60]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [6D, 00] .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x20102b0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0x260c8f0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 52] .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0x264ba20]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x202b4b0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x508f30]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x59aa80]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x55a710]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x5d9ea0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0x264bb10]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x6e9bb0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0x25a1080]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x600a30]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x66f100]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x5ee740]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffdc0363d80 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffdc0374a00 6 bytes {JMP QWORD [RIP+0x18b630]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffdc0374b70 6 bytes {JMP QWORD [RIP+0x16b4c0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffdc0377d30 6 bytes {JMP QWORD [RIP+0x1848300]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffdc0382e30 6 bytes {JMP QWORD [RIP+0x187d200]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffdc0382f40 6 bytes {JMP QWORD [RIP+0x19d0f0]} .text C:\WINDOWS\Explorer.EXE[2936] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffdc03e3f30 6 bytes {JMP QWORD [RIP+0x17fc100]} .text C:\WINDOWS\system32\DllHost.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\DllHost.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\DllHost.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\DllHost.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\DllHost.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\DllHost.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3852] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0xb7ee60]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0xb5ee10]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x75ee00]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x73edf0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0xb9eb50]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0xbbeb00]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0xbfe3a0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0xb3e380]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x59cc40]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x5dca90]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x65bd20]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0xc3ab50]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x61a910]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x699d80]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x4f9ca0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x556c60]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [6D, 00] .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0xaf02b0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0xc0c8f0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 52] .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0xc4ba20]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0xb0b4b0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x508f30]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x59aa80]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x55a710]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x5d9ea0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0xc4bb10]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x6e9bb0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x683a10]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0xba1080]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x600a30]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x66f100]} .text C:\WINDOWS\system32\taskhostex.exe[4224] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x5ee740]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x72ee60]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x70ee10]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x68ee00]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x66edf0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x74eb50]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x95eb00]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0xb2e3a0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x6ee380]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x29cc40]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x50ca90]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x58bd20]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0xb6ab50]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x54a910]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x5c9d80]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x1f9ca0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x256c60]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [60, 00] .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x6a02b0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0xb3c8f0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 22] .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0xb7ba20]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x6bb4b0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x208f30]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x4caa80]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x25a710]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x509ea0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0xb7bb10]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x619bb0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0xad1080]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x530a30]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x59f100]} .text C:\WINDOWS\system32\DllHost.exe[4588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x51e740]} .text C:\Windows\System32\skydrive.exe[4324] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Windows\System32\skydrive.exe[4324] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Windows\System32\skydrive.exe[4324] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\Windows\System32\skydrive.exe[4324] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Windows\System32\skydrive.exe[4324] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Windows\System32\skydrive.exe[4324] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffdc0363d80 6 bytes {JMP QWORD [RIP+0x20c2b0]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffdc0374a00 6 bytes {JMP QWORD [RIP+0x18b630]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffdc0374b70 6 bytes {JMP QWORD [RIP+0x16b4c0]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffdc0377d30 6 bytes JMP 4f004e .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffdc0382e30 6 bytes {JMP QWORD [RIP+0x35d200]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffdc0382f40 6 bytes {JMP QWORD [RIP+0x19d0f0]} .text C:\WINDOWS\system32\igfxsrvc.exe[5772] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffdc03e3f30 6 bytes JMP 340002 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Windows\System32\SettingSyncHost.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Windows\System32\SettingSyncHost.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Windows\System32\SettingSyncHost.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\Windows\System32\SettingSyncHost.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Windows\System32\SettingSyncHost.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Windows\System32\SettingSyncHost.exe[352] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0xb7ee60]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0xb5ee10]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x75ee00]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x73edf0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0xb9eb50]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0xbbeb00]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0xbfe3a0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0xb3e380]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x59cc40]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x5dca90]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x65bd20]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0xc3ab50]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x61a910]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x699d80]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x4f9ca0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x556c60]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [6D, 00] .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0xaf02b0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0xc0c8f0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 52] .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0xc4ba20]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0xb0b4b0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x508f30]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x59aa80]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x55a710]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x5d9ea0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0xc4bb10]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x6e9bb0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x683a10]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0xba1080]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x600a30]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x66f100]} .text C:\WINDOWS\system32\taskhost.exe[7116] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x5ee740]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf7d00d8 .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x26aee60]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x268ee10]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x260ee00]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x25eedf0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x26ceb50]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x26eeb00]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0x272e3a0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x266e380]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x6ccc40]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x70ca90]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x202bd20]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0x2b1ab50]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x74a910]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x21c9d80]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x629ca0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x686c60]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x5e6130]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [58, 02] .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x26202b0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0x273c8f0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 65] .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0x2b7ba20]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x263b4b0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x638f30]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x6caa80]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x68a710]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x709ea0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0x2b7bb10]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x2599bb0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x21b3a10]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0x26d1080]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x920a30]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x5af0d0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x546a10]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x251f100]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x211e740]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffdc0363d80 6 bytes {JMP QWORD [RIP+0x20c2b0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffdc0374a00 6 bytes {JMP QWORD [RIP+0x18b630]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffdc0374b70 6 bytes {JMP QWORD [RIP+0x16b4c0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffdc0377d30 6 bytes {JMP QWORD [RIP+0x1848300]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffdc0382e30 6 bytes {JMP QWORD [RIP+0x187d200]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffdc0382f40 6 bytes {JMP QWORD [RIP+0x19d0f0]} .text C:\Temp\FRST64.exe[7036] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffdc03e3f30 6 bytes {JMP QWORD [RIP+0x17fc100]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffdc0363d80 6 bytes {JMP QWORD [RIP+0x20c2b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffdc0374a00 6 bytes {JMP QWORD [RIP+0x18b630]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffdc0374b70 6 bytes {JMP QWORD [RIP+0x16b4c0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffdc0377d30 6 bytes {JMP QWORD [RIP+0x1848300]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffdc0382e30 6 bytes {JMP QWORD [RIP+0x187d200]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffdc0382f40 6 bytes {JMP QWORD [RIP+0x19d0f0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffdc03e3f30 6 bytes {JMP QWORD [RIP+0x17fc100]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x263ee60]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x261ee10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x259ee00]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x21fedf0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x265eb50]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x267eb00]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0x26be3a0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x25fe380]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x65cc40]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x69ca90]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x71bd20]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0x26fab50]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x6da910]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x759d80]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x5b9ca0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x616c60]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [03, 02] .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x25b02b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0x26cc8f0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 5E] .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0x270ba20]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x25cb4b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x5c8f30]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x65aa80]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x61a710]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x699ea0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0x270bb10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x21a9bb0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x1fe3a10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0x2661080]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x6c0a30]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x212f100]} .text C:\WINDOWS\SYSTEM32\notepad.exe[7648] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x6ae740]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffdc0363d80 6 bytes {JMP QWORD [RIP+0x20c2b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffdc0374a00 6 bytes {JMP QWORD [RIP+0x18b630]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffdc0374b70 6 bytes {JMP QWORD [RIP+0x16b4c0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffdc0377d30 6 bytes {JMP QWORD [RIP+0x1848300]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffdc0382e30 6 bytes {JMP QWORD [RIP+0x187d200]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffdc0382f40 6 bytes {JMP QWORD [RIP+0x19d0f0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffdc03e3f30 6 bytes {JMP QWORD [RIP+0x17fc100]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x263ee60]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x261ee10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x259ee00]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x21fedf0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x265eb50]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x267eb00]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0x26be3a0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x25fe380]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x65cc40]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x69ca90]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x71bd20]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0x26fab50]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x6da910]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x759d80]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x5b9ca0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x616c60]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [03, 02] .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x25b02b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0x26cc8f0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 5E] .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0x270ba20]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x25cb4b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x5c8f30]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x65aa80]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x61a710]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x699ea0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0x270bb10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x21a9bb0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x1fe3a10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0x2661080]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x6c0a30]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x212f100]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6104] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x6ae740]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffdbf838e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffdbf848ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffdbf84ef70 5 bytes JMP 00007ffebf8200d8 .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffdbf889351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffdbf88a520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffdbf8abfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffdc0363d80 6 bytes {JMP QWORD [RIP+0x20c2b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffdc0374a00 6 bytes {JMP QWORD [RIP+0x18b630]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffdc0374b70 6 bytes {JMP QWORD [RIP+0x16b4c0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffdc0377d30 6 bytes {JMP QWORD [RIP+0x1848300]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffdc0382e30 6 bytes {JMP QWORD [RIP+0x187d200]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffdc0382f40 6 bytes {JMP QWORD [RIP+0x19d0f0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffdc03e3f30 6 bytes {JMP QWORD [RIP+0x17fc100]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffdbfbf11d0 6 bytes {JMP QWORD [RIP+0x263ee60]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffdbfbf1220 6 bytes {JMP QWORD [RIP+0x261ee10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffdbfbf1230 6 bytes {JMP QWORD [RIP+0x259ee00]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffdbfbf1240 6 bytes {JMP QWORD [RIP+0x21fedf0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffdbfbf14e0 6 bytes {JMP QWORD [RIP+0x265eb50]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffdbfbf1530 6 bytes {JMP QWORD [RIP+0x267eb00]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffdbfbf1c90 6 bytes {JMP QWORD [RIP+0x26be3a0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffdbfbf1cb0 6 bytes {JMP QWORD [RIP+0x25fe380]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffdbfbf33f0 6 bytes {JMP QWORD [RIP+0x65cc40]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffdbfbf35a0 6 bytes {JMP QWORD [RIP+0x69ca90]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffdbfbf4311 5 bytes {JMP QWORD [RIP+0x71bd20]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffdbfbf54e0 6 bytes {JMP QWORD [RIP+0x26fab50]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffdbfbf5720 6 bytes {JMP QWORD [RIP+0x6da910]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffdbfbf62b0 6 bytes {JMP QWORD [RIP+0x759d80]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffdbfbf6390 6 bytes {JMP QWORD [RIP+0x5b9ca0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffdbfbf93d0 6 bytes {JMP QWORD [RIP+0x616c60]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffdbfbf9f00 6 bytes {JMP QWORD [RIP+0x1b6130]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffdbfbfb7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffdbfbfb7f4 2 bytes [03, 02] .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffdbfbffd81 5 bytes {JMP QWORD [RIP+0x25b02b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffdbfc03740 6 bytes {JMP QWORD [RIP+0x26cc8f0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffdbfc03c60 5 bytes [FF, 25, D0, C3, 5E] .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffdbfc04610 6 bytes {JMP QWORD [RIP+0x270ba20]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffdbfc04b80 6 bytes {JMP QWORD [RIP+0x25cb4b0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffdbfc07101 5 bytes {JMP QWORD [RIP+0x5c8f30]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffdbfc155b0 6 bytes {JMP QWORD [RIP+0x65aa80]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffdbfc15920 6 bytes {JMP QWORD [RIP+0x61a710]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffdbfc16190 6 bytes {JMP QWORD [RIP+0x699ea0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffdbfc24520 6 bytes {JMP QWORD [RIP+0x270bb10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffdbfc26480 6 bytes {JMP QWORD [RIP+0x21a9bb0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffdbfc2c620 6 bytes {JMP QWORD [RIP+0x1fe3a10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffdbfc2efb0 6 bytes {JMP QWORD [RIP+0x2661080]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffdbfc2f600 6 bytes {JMP QWORD [RIP+0x6c0a30]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffdbfc50f60 6 bytes {JMP QWORD [RIP+0x17f0d0]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffdbfc79620 6 bytes {JMP QWORD [RIP+0x116a10]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffdbfc80f30 6 bytes {JMP QWORD [RIP+0x212f100]} .text C:\WINDOWS\SYSTEM32\notepad.exe[6888] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffdbfc818f0 6 bytes {JMP QWORD [RIP+0x6ae740]} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\lsass.exe[768] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\lsass.exe[768] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\lsass.exe[768] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[848] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[848] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[848] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[888] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[888] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[888] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dwm.exe[1012] @ C:\WINDOWS\system32\dwm.exe[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dwm.exe[1012] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dwm.exe[1012] @ C:\WINDOWS\system32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dwm.exe[1012] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dwm.exe[1012] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dwm.exe[1012] @ C:\WINDOWS\system32\uDWM.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dwm.exe[1012] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[364] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[364] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[364] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[616] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[616] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[616] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[616] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[616] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[492] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[492] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[492] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[1000] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[1000] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[1000] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[1000] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[1000] @ C:\WINDOWS\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\spoolsv.exe[1424] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\spoolsv.exe[1424] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\spoolsv.exe[1424] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\spoolsv.exe[1424] @ C:\WINDOWS\System32\localspl.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\spoolsv.exe[1424] @ C:\WINDOWS\System32\PrintIsolationProxy.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\spoolsv.exe[1424] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[1476] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[1476] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[1476] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[1476] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[1476] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1608] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\comctl32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DptfParticipantProcessorService.exe[1664] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DptfPolicyConfigTDPService.exe[1704] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1724] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1740] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\viakaraokesrv.exe[1972] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\viakaraokesrv.exe[1972] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\viakaraokesrv.exe[1972] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[2616] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[2616] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\svchost.exe[2616] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[2704] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[2704] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\System32\svchost.exe[2704] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dashost.exe[2796] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dashost.exe[2796] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dashost.exe[2796] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\dashost.exe[2796] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3860] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\Comctl32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\twinui.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\authui.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\UIRibbon.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\system32\syncui.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\Explorer.EXE[2936] @ C:\WINDOWS\SYSTEM32\mfc100u.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4008] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4008] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4008] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4008] @ C:\WINDOWS\SYSTEM32\shell32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3852] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\ASUS\P4G\BatteryLife.exe[5052] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\ASUS\P4G\BatteryLife.exe[5052] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\ASUS\P4G\BatteryLife.exe[5052] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\ASUS\P4G\BatteryLife.exe[5052] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\ASUS\P4G\BatteryLife.exe[5052] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhostex.exe[4224] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4588] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4588] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4588] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4588] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4588] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\DllHost.exe[4588] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\Windows\System32\skydrive.exe[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\Windows\System32\DUI70.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\skydrive.exe[4324] @ C:\Windows\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\system32\igfxpers.exe[5156] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\system32\igfxpers.exe[5156] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\system32\igfxpers.exe[5156] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\system32\igfxpers.exe[5156] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\system32\igfxpers.exe[5156] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\OPENGL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\DDRAW.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\igfxsrvc.exe[5772] @ C:\WINDOWS\system32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\comctl32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\SYSTEM32\mfc100u.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[6140] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\igfxtray.exe[5292] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\igfxtray.exe[5292] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\igfxtray.exe[5292] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\igfxtray.exe[5292] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\igfxtray.exe[5292] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\igfxtray.exe[5292] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\igfxtray.exe[5292] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\hkcmd.exe[5824] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\hkcmd.exe[5824] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\hkcmd.exe[5824] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\hkcmd.exe[5824] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\hkcmd.exe[5824] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\hkcmd.exe[5824] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\hkcmd.exe[5824] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\comctl32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[5920] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[5420] @ C:\WINDOWS\SYSTEM32\OPENGL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[1444] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\SettingSyncHost.exe[352] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\SettingSyncHost.exe[352] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\SettingSyncHost.exe[352] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\SettingSyncHost.exe[352] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\SettingSyncHost.exe[352] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\SettingSyncHost.exe[352] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Windows\System32\SettingSyncHost.exe[352] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\system32\shell32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\Comctl32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[7688] @ C:\Program Files\Common Files\Microsoft Shared\Ink\InkObj.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhost.exe[7116] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhost.exe[7116] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\system32\taskhost.exe[7116] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\Temp\FRST64.exe[7036] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\SYSTEM32\notepad.exe[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[7648] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\SYSTEM32\notepad.exe[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6104] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\SYSTEM32\notepad.exe[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] IAT C:\WINDOWS\SYSTEM32\notepad.exe[6888] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffdc04c0000] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [668:6084] fffff960008b72d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----