GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-07 22:54:51 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000025 WDC_WD10EZEX-00ZF5A0 rev.80.00A80 931,51GB Running: z5vzw3ix.exe; Driver: C:\Users\Majaque\AppData\Local\Temp\ffrdifow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\services.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\services.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\services.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\services.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\services.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\services.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\lsass.exe[716] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\lsass.exe[716] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\lsass.exe[716] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\lsass.exe[716] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\lsass.exe[716] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\lsass.exe[716] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x56ee60]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x54ee10]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4cee00]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4aedf0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x58eb50]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x5aeb00]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x5ee3a0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x52e380]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x2fcc40]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x34ca90]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3cbd20]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x62ab50]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x38a910]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x409d80]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x259ca0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2b6c60]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x216130]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [44, 00] .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x4e02b0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x5fc8f0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 28] .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x63ba20]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x4fb4b0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x268f30]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x2faa80]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ba710]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x349ea0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x63bb10]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x459bb0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x3f3a10]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x591080]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x370a30]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x1df0d0]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x176a10]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x3df100]} .text C:\WINDOWS\system32\svchost.exe[804] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x35e740]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffbe5e94fc0 6 bytes {JMP QWORD [RIP+0x27b070]} .text C:\WINDOWS\system32\svchost.exe[848] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffbe5eafe20 6 bytes {JMP QWORD [RIP+0x240210]} .text C:\WINDOWS\system32\nvvsvc.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\nvvsvc.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\nvvsvc.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\nvvsvc.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\nvvsvc.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\nvvsvc.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[288] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[288] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[288] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[288] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[288] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[288] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\svchost.exe[952] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\svchost.exe[952] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\svchost.exe[952] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\System32\svchost.exe[952] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\svchost.exe[952] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\svchost.exe[952] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffbe5e94fc0 6 bytes {JMP QWORD [RIP+0x27b070]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffbe5eafe20 6 bytes {JMP QWORD [RIP+0x240210]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x56ee60]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x54ee10]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4cee00]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4aedf0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x58eb50]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x5aeb00]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x5ee3a0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x52e380]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x2fcc40]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x34ca90]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3cbd20]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x62ab50]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x38a910]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x409d80]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x259ca0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2b6c60]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x216130]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [44, 00] .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x4e02b0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x5fc8f0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 28] .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x63ba20]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x4fb4b0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x268f30]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x2faa80]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ba710]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x349ea0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x63bb10]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x459bb0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x3f3a10]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x591080]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x370a30]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x1df0d0]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x176a10]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x3df100]} .text C:\WINDOWS\system32\svchost.exe[1032] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x35e740]} .text C:\WINDOWS\system32\svchost.exe[1120] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[1120] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[1120] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[1120] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[1120] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[1120] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\spoolsv.exe[1440] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\spoolsv.exe[1440] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\spoolsv.exe[1440] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\System32\spoolsv.exe[1440] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\spoolsv.exe[1440] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\spoolsv.exe[1440] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffbe5e94fc0 6 bytes {JMP QWORD [RIP+0x27b070]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffbe5eafe20 6 bytes {JMP QWORD [RIP+0x240210]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x56ee60]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x54ee10]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4cee00]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4aedf0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x58eb50]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x5aeb00]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x5ee3a0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x52e380]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x2fcc40]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x34ca90]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3cbd20]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x62ab50]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x38a910]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x409d80]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x259ca0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2b6c60]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x216130]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [44, 00] .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x4e02b0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x5fc8f0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 28] .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x63ba20]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x4fb4b0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x268f30]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x2faa80]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ba710]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x349ea0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x63bb10]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x459bb0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x3f3a10]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x591080]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x370a30]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x1df0d0]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x176a10]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x3df100]} .text C:\WINDOWS\system32\svchost.exe[1512] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x35e740]} .text C:\WINDOWS\System32\svchost.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\svchost.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\svchost.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\System32\svchost.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\svchost.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\svchost.exe[1664] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x56ee60]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x54ee10]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4cee00]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4aedf0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x58eb50]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x5aeb00]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x5ee3a0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x52e380]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x2fcc40]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x34ca90]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3cbd20]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x62ab50]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x38a910]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x409d80]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x259ca0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2b6c60]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x216130]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [44, 00] .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x4e02b0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x5fc8f0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 28] .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x63ba20]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x4fb4b0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x268f30]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x2faa80]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ba710]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x349ea0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x63bb10]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x459bb0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x3f3a10]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x591080]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x370a30]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x1df0d0]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x176a10]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x3df100]} .text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x35e740]} .text C:\WINDOWS\system32\svchost.exe[2132] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[2132] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\svchost.exe[2132] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[2132] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\svchost.exe[2132] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\svchost.exe[2132] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Windows\System32\WUDFHost.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\Windows\System32\WUDFHost.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Windows\System32\WUDFHost.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\Windows\System32\WUDFHost.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Windows\System32\WUDFHost.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Windows\System32\WUDFHost.exe[2228] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\dashost.exe[2264] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\dashost.exe[2264] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\dashost.exe[2264] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\dashost.exe[2264] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\dashost.exe[2264] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\dashost.exe[2264] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\svchost.exe[4908] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffbe5958d80 6 bytes {JMP QWORD [RIP+0x1672b0]} .text C:\WINDOWS\system32\svchost.exe[4908] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[4908] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 17] .text C:\WINDOWS\system32\svchost.exe[4908] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[4908] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x156ce0]} .text C:\WINDOWS\system32\svchost.exe[4908] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x195b10]} .text C:\WINDOWS\system32\svchost.exe[4908] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x154080]} .text C:\WINDOWS\system32\svchost.exe[4384] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffbe5958d80 6 bytes {JMP QWORD [RIP+0x1672b0]} .text C:\WINDOWS\system32\svchost.exe[4384] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[4384] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 17] .text C:\WINDOWS\system32\svchost.exe[4384] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[4384] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x156ce0]} .text C:\WINDOWS\system32\svchost.exe[4384] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x195b10]} .text C:\WINDOWS\system32\svchost.exe[4384] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x154080]} .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!CheckTokenMembership + 1 00007ffbe59545f1 5 bytes {JMP QWORD [RIP+0x16ba40]} .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffbe5958d80 6 bytes {JMP QWORD [RIP+0x1872b0]} .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 19] .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x176ce0]} .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x1b5b10]} .text C:\WINDOWS\system32\svchost.exe[5084] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x174080]} .text C:\WINDOWS\system32\svchost.exe[1944] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffbe5958d80 6 bytes {JMP QWORD [RIP+0x1672b0]} .text C:\WINDOWS\system32\svchost.exe[1944] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\svchost.exe[1944] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 17] .text C:\WINDOWS\system32\svchost.exe[1944] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\svchost.exe[1944] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x156ce0]} .text C:\WINDOWS\system32\svchost.exe[1944] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x195b10]} .text C:\WINDOWS\system32\svchost.exe[1944] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x154080]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x80ee60]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4fee00]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4dedf0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x82eb50]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x84eb00]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x88e3a0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x7ce380]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x33cc40]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x37ca90]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3fbd20]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x8cab50]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x3ba910]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x439d80]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [47, 00] .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x7802b0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x89c8f0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x8dba20]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x79b4b0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x33aa80]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x379ea0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x8dbb10]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x489bb0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x423a10]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x831080]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x3a0a30]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x40f100]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x38e740]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbe63e3d80 6 bytes {JMP QWORD [RIP+0x56c2b0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbe63f4a00 6 bytes {JMP QWORD [RIP+0x32b630]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbe63f4b70 6 bytes {JMP QWORD [RIP+0x30b4c0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbe63f7d30 6 bytes {JMP QWORD [RIP+0x578300]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbe6402e30 6 bytes {JMP QWORD [RIP+0x5ad200]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbe6402f40 6 bytes {JMP QWORD [RIP+0x33d0f0]} .text C:\WINDOWS\system32\dwm.exe[3784] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbe6463f30 6 bytes {JMP QWORD [RIP+0x52c100]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x80ee60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4fee00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4dedf0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x82eb50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x84eb00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x88e3a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x7ce380]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x33cc40]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x37ca90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3fbd20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x8cab50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x3ba910]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x439d80]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [47, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x7802b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x89c8f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x8dba20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x79b4b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x33aa80]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x379ea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x8dbb10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x489bb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x423a10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x831080]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x3a0a30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x40f100]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x38e740]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbe63e3d80 6 bytes {JMP QWORD [RIP+0x56c2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbe63f4a00 6 bytes {JMP QWORD [RIP+0x32b630]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbe63f4b70 6 bytes {JMP QWORD [RIP+0x30b4c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbe63f7d30 6 bytes {JMP QWORD [RIP+0x578300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbe6402e30 6 bytes {JMP QWORD [RIP+0x5ad200]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbe6402f40 6 bytes {JMP QWORD [RIP+0x33d0f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbe6463f30 6 bytes {JMP QWORD [RIP+0x52c100]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0xa2eb00]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0xa6e3a0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x78cc40]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x7cca90]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x84bd20]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0xaaab50]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x80a910]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [8C, 00] .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0xa7c8f0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0xabba20]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes JMP 0 .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x78aa80]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x7c9ea0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0xabbb10]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x8d9bb0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x873a10]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0xa11080]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x7f0a30]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x85f100]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x7de740]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbe63e3d80 6 bytes {JMP QWORD [RIP+0x56c2b0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbe63f4a00 6 bytes {JMP QWORD [RIP+0x32b630]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbe63f4b70 6 bytes {JMP QWORD [RIP+0x30b4c0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbe63f7d30 6 bytes {JMP QWORD [RIP+0x578300]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbe6402e30 6 bytes {JMP QWORD [RIP+0x5ad200]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbe6402f40 6 bytes {JMP QWORD [RIP+0x33d0f0]} .text C:\WINDOWS\system32\nvvsvc.exe[5284] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbe6463f30 6 bytes {JMP QWORD [RIP+0x52c100]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x80ee60]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4fee00]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4dedf0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x82eb50]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x84eb00]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x88e3a0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x7ce380]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x33cc40]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x37ca90]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3fbd20]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x8cab50]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x3ba910]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x439d80]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [47, 00] .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x7802b0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x89c8f0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x8dba20]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x79b4b0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x33aa80]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x379ea0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x8dbb10]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x489bb0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x423a10]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x831080]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x3a0a30]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x40f100]} .text C:\WINDOWS\system32\taskhostex.exe[6800] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x38e740]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x80ee60]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4fee00]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4dedf0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x82eb50]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x1eaeb00]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x21be3a0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x7ce380]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x33cc40]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x37ca90]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3fbd20]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x21fab50]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes JMP 0 .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x439d80]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [47, 00] .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes JMP ffffff .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x21cc8f0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x220ba20]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x79b4b0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x33aa80]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x379ea0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x220bb10]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x489bb0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x423a10]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x2161080]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes JMP ffffffff .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x40f100]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x38e740]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbe63e3d80 6 bytes {JMP QWORD [RIP+0x56c2b0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbe63f4a00 6 bytes {JMP QWORD [RIP+0x32b630]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbe63f4b70 6 bytes {JMP QWORD [RIP+0x30b4c0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbe63f7d30 6 bytes {JMP QWORD [RIP+0x578300]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbe6402e30 6 bytes {JMP QWORD [RIP+0x5ad200]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbe6402f40 6 bytes {JMP QWORD [RIP+0x33d0f0]} .text C:\WINDOWS\Explorer.EXE[3756] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbe6463f30 6 bytes JMP b7518eb7 .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x80ee60]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4fee00]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4dedf0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x82eb50]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x1eaeb00]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x21be3a0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x7ce380]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x33cc40]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x37ca90]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3fbd20]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x21fab50]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x3ba910]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x439d80]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [47, 00] .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x7802b0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x21cc8f0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x220ba20]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x79b4b0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x33aa80]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x379ea0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x220bb10]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x489bb0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x423a10]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x2161080]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x3a0a30]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x40f100]} .text C:\Windows\System32\skydrive.exe[7124] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x38e740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x231ee60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x22fee10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x227ee00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x225edf0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x233eb50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x239e3a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes JMP cb089b .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x78cc40]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x7cca90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x1eabd20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x23dab50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x80a910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x21b9d80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes JMP 340039 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes JMP 10002 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes JMP ffffffff .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [1F, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x22902b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x23ac8f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x23eba20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x22ab4b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes JMP 330030 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x78aa80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes JMP 2d4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x7c9ea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x23ebb10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x2209bb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x21a3a10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x2341080]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x7f0a30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x218f100]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x210e740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbe63e3d80 6 bytes {JMP QWORD [RIP+0x56c2b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbe63f4a00 6 bytes {JMP QWORD [RIP+0x32b630]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbe63f4b70 6 bytes JMP 6280631 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbe63f7d30 6 bytes {JMP QWORD [RIP+0x578300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbe6402e30 6 bytes {JMP QWORD [RIP+0x5ad200]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbe6402f40 6 bytes {JMP QWORD [RIP+0x33d0f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbe6463f30 6 bytes {JMP QWORD [RIP+0x52c100]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x80ee60]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4fee00]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4dedf0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x82eb50]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x84eb00]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x88e3a0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x7ce380]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x33cc40]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x37ca90]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3fbd20]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x8cab50]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x3ba910]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x439d80]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [47, 00] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x7802b0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x89c8f0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x8dba20]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x79b4b0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x33aa80]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x379ea0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x8dbb10]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x489bb0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x423a10]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x831080]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x3a0a30]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x40f100]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x38e740]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffbe63e3d80 6 bytes {JMP QWORD [RIP+0x56c2b0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffbe63f4a00 6 bytes {JMP QWORD [RIP+0x32b630]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffbe63f4b70 6 bytes {JMP QWORD [RIP+0x30b4c0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffbe63f7d30 6 bytes {JMP QWORD [RIP+0x578300]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffbe6402e30 6 bytes {JMP QWORD [RIP+0x5ad200]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffbe6402f40 6 bytes {JMP QWORD [RIP+0x33d0f0]} .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffbe6463f30 6 bytes {JMP QWORD [RIP+0x52c100]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x80ee60]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x7eee10]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4fee00]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4dedf0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x82eb50]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x84eb00]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x88e3a0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x7ce380]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x33cc40]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x37ca90]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3fbd20]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x8cab50]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x3ba910]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x439d80]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x289ca0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2e6c60]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x246130]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [47, 00] .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x7802b0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x89c8f0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 2B] .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x8dba20]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x79b4b0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x298f30]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x33aa80]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ea710]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x379ea0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x8dbb10]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x489bb0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x423a10]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x831080]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x3a0a30]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x20f0d0]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x1a6a10]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x40f100]} .text C:\Windows\System32\SettingSyncHost.exe[3400] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x38e740]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffbe5958e46 3 bytes [C4, 71, 11] .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffbe5968ca0 5 bytes [FF, 25, 90, 73, 15] .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffbe596ef70 5 bytes JMP 00007ffce59400d8 .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffbe59a9351 5 bytes {JMP QWORD [RIP+0x136ce0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffbe59aa520 6 bytes {JMP QWORD [RIP+0x175b10]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffbe59cbfb0 6 bytes {JMP QWORD [RIP+0x134080]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffbe67a11d0 6 bytes {JMP QWORD [RIP+0x56ee60]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffbe67a1220 6 bytes {JMP QWORD [RIP+0x54ee10]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffbe67a1230 6 bytes {JMP QWORD [RIP+0x4cee00]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffbe67a1240 6 bytes {JMP QWORD [RIP+0x4aedf0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffbe67a14e0 6 bytes {JMP QWORD [RIP+0x58eb50]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffbe67a1530 6 bytes {JMP QWORD [RIP+0x5aeb00]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffbe67a1c90 6 bytes {JMP QWORD [RIP+0x5ee3a0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffbe67a1cb0 6 bytes {JMP QWORD [RIP+0x52e380]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffbe67a33f0 6 bytes {JMP QWORD [RIP+0x2fcc40]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffbe67a35a0 6 bytes {JMP QWORD [RIP+0x34ca90]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffbe67a4311 5 bytes {JMP QWORD [RIP+0x3cbd20]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffbe67a54e0 6 bytes {JMP QWORD [RIP+0x62ab50]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffbe67a5720 6 bytes {JMP QWORD [RIP+0x38a910]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffbe67a62b0 6 bytes {JMP QWORD [RIP+0x409d80]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffbe67a6390 6 bytes {JMP QWORD [RIP+0x259ca0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffbe67a93d0 6 bytes {JMP QWORD [RIP+0x2b6c60]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffbe67a9f00 6 bytes {JMP QWORD [RIP+0x216130]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffbe67ab7f0 3 bytes [FF, 25, 40] .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffbe67ab7f4 2 bytes [44, 00] .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffbe67afd81 5 bytes {JMP QWORD [RIP+0x4e02b0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffbe67b3740 6 bytes {JMP QWORD [RIP+0x5fc8f0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffbe67b3c60 5 bytes [FF, 25, D0, C3, 28] .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffbe67b4610 6 bytes {JMP QWORD [RIP+0x63ba20]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffbe67b4b80 6 bytes {JMP QWORD [RIP+0x4fb4b0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffbe67b7101 5 bytes {JMP QWORD [RIP+0x268f30]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffbe67c55b0 6 bytes {JMP QWORD [RIP+0x2faa80]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffbe67c5920 6 bytes {JMP QWORD [RIP+0x2ba710]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffbe67c6190 6 bytes {JMP QWORD [RIP+0x349ea0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffbe67d4520 6 bytes {JMP QWORD [RIP+0x63bb10]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffbe67d6480 6 bytes {JMP QWORD [RIP+0x459bb0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffbe67dc620 6 bytes {JMP QWORD [RIP+0x3f3a10]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffbe67defb0 6 bytes {JMP QWORD [RIP+0x591080]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffbe67df600 6 bytes {JMP QWORD [RIP+0x370a30]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffbe6800f60 6 bytes {JMP QWORD [RIP+0x1df0d0]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffbe6829620 6 bytes {JMP QWORD [RIP+0x176a10]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffbe6830f30 6 bytes {JMP QWORD [RIP+0x3df100]} .text C:\WINDOWS\System32\svchost.exe[2120] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffbe68318f0 6 bytes {JMP QWORD [RIP+0x35e740]} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[700] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\services.exe[700] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\services.exe[700] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\lsass.exe[716] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[848] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[848] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[848] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[936] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[936] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[936] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[288] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[556] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[952] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[952] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[952] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[952] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[952] @ C:\WINDOWS\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1032] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1032] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1032] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1032] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1032] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1032] @ c:\windows\system32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1120] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1120] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1120] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\spoolsv.exe[1440] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\spoolsv.exe[1440] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\spoolsv.exe[1440] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\spoolsv.exe[1440] @ C:\WINDOWS\System32\localspl.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\spoolsv.exe[1440] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[1664] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[1664] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\System32\svchost.exe[1664] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1864] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1864] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1864] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1864] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1864] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\comctl32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[1864] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[2132] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[2132] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[2132] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\WUDFHost.exe[2228] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\WUDFHost.exe[2228] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\WUDFHost.exe[2228] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\WUDFHost.exe[2228] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dashost.exe[2264] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dashost.exe[2264] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dashost.exe[2264] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dashost.exe[2264] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3480] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3480] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3480] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3480] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3480] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\svchost.exe[4908] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[4908] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[4908] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[4384] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[4384] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[4384] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[5084] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[5084] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\svchost.exe[5084] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe6d70000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\dwm.exe[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\Shell32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\uDWM.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\dwm.exe[3784] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[6904] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\nvvsvc.exe[5284] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\system32\taskhostex.exe[6800] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\Comctl32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\twinui.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\authui.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\WSShared.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\Windows\System32\ieframe.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\UIRibbon.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\wpdshext.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\WINDOWS\Explorer.EXE[3756] @ C:\WINDOWS\system32\syncui.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\Windows\System32\skydrive.exe[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\Windows\System32\DUI70.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\skydrive.exe[7124] @ C:\Windows\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\SYSTEM32\oledlg.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[6588] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\system32\shell32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\Microsoft.NET\Framework64\v3.0\WPF\wpfgfx_v0300.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\comctl32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\SYSTEM32\d3d9.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[2324] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\SettingSyncHost.exe[3400] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\SettingSyncHost.exe[3400] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\SettingSyncHost.exe[3400] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] IAT C:\Windows\System32\SettingSyncHost.exe[3400] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffbe66e0000] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [1492:4700] fffff960009a22d0 Thread C:\WINDOWS\Explorer.EXE [3756:5152] 00007ffbe206e630 Thread C:\WINDOWS\Explorer.EXE [3756:5888] 00007ffbc76be630 Thread C:\Windows\System32\SettingSyncHost.exe [3400:6744] 00007ffbe3a37090 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACI19B483LMTF080691_0B_07D8_89^7DA45D8997E316767AD3146BD8D31CEC@Timestamp 0x55 0xDE 0x75 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -112120027 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 25268 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 28860 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 494 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 602 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 25765 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 150 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 357 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 26008 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 249 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 103 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 26367 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 26458 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 28339 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 26457 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 28782 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 2194 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 46 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 13823 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 1871 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 42 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 14 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 425 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 27 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 230674 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x20 0x50 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 19205 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xD6 0x23 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 169 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 46 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 122 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 1602 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 351 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xE5 0x12 0xEE 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 1898 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\AV\Settings\RealTime@ScanningMode 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy@Num 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\0@UID {505A67FF-2200-4562-BB7F-6B27CB9479C6} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\0@Filename C:\Program Files (x86)\Skype\Phone\Skype.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\0@DeviceName C:\Program Files (x86)\Skype\Phone\Skype.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\0\Rules\0@UID {4EBD5583-96E1-455B-A355-14F735AC45F8} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\1@UID {515EBEF0-A688-4240-B3B2-DD6B5570025B} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\1@Filename C:\Program Files\K2T.eu\WTW\wtw.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\1@DeviceName C:\Program Files\K2T.eu\WTW\wtw.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\1\Rules\0@UID {C6558CC7-36CE-4812-B321-1269C6BDC979} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2@UID {76D76BB4-8755-49BD-A024-13BA4394E61F} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2@Filename System Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2@DeviceName System Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2@LastID 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\0@UID {9CD586D2-11B9-4179-B3A2-E3F0369EA734} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\0@ID 25512 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\0@Description Zezw?l na wychodz?ce po??czenia od Systemu, je?eli odbiorca znajduje si? w [Dom #1] Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\0\DestinationIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\0\DestinationIP@Name Dom #1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@UID {167701CE-9F0B-4E52-9EDD-BEF70D071034} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@ID 25512 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@Index 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@Direction 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@Description Zezw?l na przychodz?ce po??czenia do Systemu, je?eli nadawca znajduje si? w [Dom #1] Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP@Name Dom #1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\1\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\3@UID {24DF266A-3D21-4C66-975C-61C73F8E947F} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\3@Flags 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\3@DeviceName COMODO Internet Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\3@TreatAs Tylko wychodz?ce Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\3\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4@UID {8D11056A-CF60-4B09-9C3B-8EA6A55AE342} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4@DeviceName Aplikacje Windows Update Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@UID {A549396D-00FA-45F9-957D-2D1F181D1F4C} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@Index 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@Description Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\5@UID {FA4FBF44-C125-4662-BC51-BF2DF82BAC8A} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\5@DeviceName Systemowe aplikacje Windows Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\5\Rules\0@UID {66A7DAC7-155A-413A-827E-FB53374808FE} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\6@UID {2B91983A-CDCD-4289-8853-D5A8A3D06F6C} Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\6@Flags 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\6@DeviceName Aplikacje Modern UI Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\6@TreatAs Tylko wychodz?ce Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Firewall\Settings@SecurityLevel 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\SBSettings@SBMode 67451 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Settings@Mode 151977982 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{B5531989-85D4-4462-89F8-4101D2E054D6}@DefunctTimestamp 0x01 0xF0 0x9B 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2732 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 155 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4E3954D8-6667-48A9-8A35-6D72DC86246A}@LeaseObtainedTime 1436282883 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4E3954D8-6667-48A9-8A35-6D72DC86246A}@T1 1436326083 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4E3954D8-6667-48A9-8A35-6D72DC86246A}@T2 1436358483 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4E3954D8-6667-48A9-8A35-6D72DC86246A}@LeaseTerminatesTime 1436369283 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinUsb\Parameters\Wdf@TimeOfLastSqmLog 0x7D 0xC3 0x5C 0x52 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList@MRUList ba Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0x1F 0x3C 0x05 0x0F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0x7D 0x0A 0x07 0xE1 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xDD 0x62 0x18 0x80 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xDD 0x62 0x18 0x80 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 7926 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xDD 0x62 0x18 0x80 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 19145 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xDD 0x62 0x18 0x80 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x31 0x8F 0x5E 0xBC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x46 0x56 0x90 0x35 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@LastRateLimitedDumpGenerationTime 0xF7 0x53 0x7D 0x5A ... ---- EOF - GMER 2.1 ----