GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-02 18:10:45 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 TOSHIBA_MQ01ABD050 rev.AX002J 465,76GB Running: ze63cx3q.exe; Driver: C:\Users\Oliwia\AppData\Local\Temp\uxldapow.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xdbee60]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd9ee10]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xccee00]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xafedf0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xddeb50]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdfeb00]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe3e3a0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd7e380]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe7ab60]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xd302c0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe4c900]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe8ba30]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd4b4c0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe8bb10]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xde1080]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\services.exe[756] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xdbee60]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd9ee10]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xccee00]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xafedf0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xddeb50]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdfeb00]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe3e3a0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd7e380]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe7ab60]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xd302c0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe4c900]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe8ba30]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd4b4c0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe8bb10]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xde1080]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[840] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xdbee60]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd9ee10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xccee00]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xafedf0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xddeb50]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdfeb00]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe3e3a0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd7e380]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe7ab60]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xd302c0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe4c900]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe8ba30]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd4b4c0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe8bb10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xde1080]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[892] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\nvvsvc.exe[996] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\System32\svchost.exe[588] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xdbee60]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd9ee10]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xccee00]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xafedf0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xddeb50]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdfeb00]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe3e3a0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd7e380]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe7ab60]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xd302c0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe4c900]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe8ba30]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd4b4c0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe8bb10]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xde1080]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[668] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[948] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xddee60]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xdbee10]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes JMP 0 .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xccedf0]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xdfeb50]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe1eb00]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe5e3a0]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd9e380]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes JMP 0 .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe9ab60]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes JMP 0 .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [AB, 00] .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes JMP 0 .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe6c900]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xeaba30]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd6b4c0]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xeabb10]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes JMP ac9b98 .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x7f3a10]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe01080]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes JMP 0 .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0xa4f030]} .text C:\WINDOWS\System32\spoolsv.exe[1568] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes JMP 40000 .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x15afe0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x119e10]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xdbee60]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd9ee10]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xccee00]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xafedf0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xddeb50]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdfeb00]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe3e3a0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd7e380]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe7ab60]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xd302c0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe4c900]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe8ba30]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd4b4c0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe8bb10]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xde1080]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[1592] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes JMP 0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes JMP 2 .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes JMP 94a1 .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes JMP 253f .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\AdminService.exe[1724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes JMP 272f .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xeaee60]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe8ee10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xe0ee00]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xdeedf0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xeceb50]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xeeeb00]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xf2e3a0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe6e380]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x5ebd30]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf6ab60]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x629d90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [D8, 00] .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xe202c0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xf3c900]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf7ba30]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xe3b4c0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf7bb10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0xd99bb0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x7f3a10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xed1080]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x580a30]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0xd1f030]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1760] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x57e670]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\System32\svchost.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\dashost.exe[1848] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xeaee60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe8ee10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xe0ee00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xdeedf0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xeceb50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xeeeb00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xf2e3a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe6e380]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x5ebd30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf6ab60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x629d90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [D8, 00] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xe202c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xf3c900]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf7ba30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xe3b4c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf7bb10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0xd99bb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x7f3a10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xed1080]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x580a30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0xd1f030]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x57e670]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes JMP 6771 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes JMP 6a5 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes JMP 656c6946 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes JMP 14720 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3bb00d8 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes JMP 0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes JMP a2300000 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes JMP 0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[1928] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3bb00d8 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xeaee60]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe8ee10]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xe0ee00]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xdeedf0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xeceb50]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes JMP 3a .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xf2e3a0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe6e380]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x5ebd30]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x629d90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [D8, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xe202c0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xf3c900]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf7ba30]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xe3b4c0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf7bb10]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0xd99bb0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes JMP 4 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x580a30]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0xd1f030]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x57e670]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes JMP 6e20 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\svchost.exe[2336] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xddee60]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xdbee10]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xd3ee00]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xccedf0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xdfeb50]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe1eb00]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe5e3a0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd9e380]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x5ebd30]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe9ab60]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x629d90]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [AB, 00] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xd502c0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe6c900]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xeaba30]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd6b4c0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xeabb10]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0xac9bb0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x7f3a10]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe01080]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x580a30]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0xa4f030]} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2788] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x57e670]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xddee60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xdbee10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xd3ee00]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xccedf0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xdfeb50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe1eb00]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe5e3a0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd9e380]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x5ebd30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe9ab60]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x629d90]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [AB, 00] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xd502c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe6c900]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xeaba30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd6b4c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xeabb10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0xac9bb0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x7f3a10]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe01080]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x580a30]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0xa4f030]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x57e670]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x42f300]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x3e8440]} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x3ac300]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3624] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3624] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3624] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3624] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3624] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3624] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3bb00d8 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\SearchIndexer.exe[3980] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\iPod\bin\iPodService.exe[4392] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\System32\svchost.exe[5888] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x42f300]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x3e8440]} .text C:\WINDOWS\System32\dwm.exe[6404] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x3ac300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0378 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db03e8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0298 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0308 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffaa628d050 7 bytes JMP 00007ffaa3db0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffaa62bb160 5 bytes JMP 00007ffaa3db0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes JMP 1fffff .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes JMP 101 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes JMP 500050 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0500 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db04c8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db0458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\WINDOWS\system32\nvvsvc.exe[5940] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db02d0 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0308 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db03b0 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db0340 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db0378 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0228 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0298 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db0260 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0490 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db0458 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db03e8 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0420 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\WINDOWS\system32\taskhostex.exe[2152] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes JMP 20000 .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes JMP 20000 .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes JMP a1242570 .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\WINDOWS\Explorer.EXE[1980] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db0340 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0378 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db0420 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db03b0 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db03e8 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0298 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0308 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db02d0 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffaa628d050 7 bytes JMP 00007ffaa3db0228 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffaa62bb160 5 bytes JMP 00007ffaa3db0260 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xeaee60]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe8ee10]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xe0ee00]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xdeedf0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xeceb50]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xeeeb00]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xf2e3a0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe6e380]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x5ebd30]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf6ab60]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x629d90]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0500 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [D8, 00] .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xe202c0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xf3c900]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf7ba30]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xe3b4c0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db04c8 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db0458 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0490 .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf7bb10]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0xd99bb0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x7f3a10]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xed1080]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x580a30]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0xd1f030]} .text C:\Windows\System32\skydrive.exe[4696] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x57e670]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0378 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db03e8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0298 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0308 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0500 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db04c8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db0458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0378 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db03e8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0298 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0308 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes JMP 13dc88 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes JMP 94a1 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0500 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes JMP 32007b .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes JMP 401b4eb0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db04c8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db0458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes JMP bcde0395 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes JMP 253f .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes JMP 272f .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffaa628d050 7 bytes JMP 00007ffaa3db0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffaa62bb160 5 bytes JMP 00007ffaa3db0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db0340 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0378 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db0420 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db03e8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0298 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0308 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes JMP 175c8172 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes JMP 441043d .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes JMP 7287c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0500 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db04c8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db0458 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0490 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes JMP 8901f4 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes JMP ba9 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes JMP 400000 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffaa628d050 7 bytes JMP 00007ffaa3db0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffaa62bb160 5 bytes JMP 00007ffaa3db0260 .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x170540]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd9ee60]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd7ee10]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xafee00]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xadedf0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xdbeb50]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xddeb00]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xe1e3a0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd5e380]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe5ab60]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5e9d90]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [62, 00] .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xcc02c0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe2c900]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe6ba30]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xd2b4c0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe6bb10]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0xa89bb0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5d3a10]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xdc1080]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x79f030]} .text C:\Windows\System32\rundll32.exe[1108] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes JMP 22c02290 .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes JMP 8901f4 .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Windows\System32\igfxtray.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes CALL 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes JMP a64184a0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes JMP 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes JMP 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes JMP 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes JMP 455 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes JMP 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes JMP 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes JMP 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes JMP ba9 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes JMP 0 .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes JMP 9ae09cb .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes JMP 33006d .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\WINDOWS\system32\igfxsrvc.exe[6296] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes JMP fefefefe .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes JMP 22c02290 .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes JMP 630063 .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes JMP 5e771f5f .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes JMP 8901f4 .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Windows\System32\hkcmd.exe[4212] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db0340 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0378 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db0420 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db03b0 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db03e8 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0298 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0308 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db02d0 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes JMP fefefefe .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes JMP 441043d .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes JMP ffffffff .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes JMP 39b3e9a .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0500 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db04c8 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db0458 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0490 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes JMP 54004e .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes JMP 8901f4 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes JMP ba9 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes JMP 400000 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffaa628d050 7 bytes JMP 00007ffaa3db0228 .text C:\Windows\System32\igfxpers.exe[5152] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffaa62bb160 5 bytes JMP 00007ffaa3db0260 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db02d0 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0308 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db03b0 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db0340 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db0378 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0228 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0298 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db0260 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xd7ee60]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xd5ee10]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xadee00]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xabedf0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xd9eb50]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xdbeb00]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xdfe3a0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xd3e380]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xe3ab60]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0490 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xaf02c0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xe0c900]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xe4ba30]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xcbb4c0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db0458 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db03e8 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0420 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xe4bb10]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xda1080]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x42f300]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x3e8440]} .text C:\Program Files\iTunes\iTunesHelper.exe[3000] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x3ac300]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffaa5b83e10 7 bytes JMP 00007ffaa3db02d0 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffaa5b83e20 7 bytes JMP 00007ffaa3db0308 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffaa5c339b0 7 bytes JMP 00007ffaa3db03b0 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffaa5c33ef0 7 bytes JMP 00007ffaa3db0340 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffaa5c33fe0 7 bytes JMP 00007ffaa3db0378 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffaa5c606c0 7 bytes JMP 00007ffaa3db0228 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffaa5c60730 7 bytes JMP 00007ffaa3db0298 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffaa5c60760 7 bytes JMP 00007ffaa3db0260 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffaa3df21d0 5 bytes JMP 00007ffaa3db0180 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffaa3df29d0 7 bytes JMP 00007ffaa3db00d8 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffaa3df4310 5 bytes JMP 00007ffaa3db0110 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 5 bytes JMP 00007ffaa3db0148 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 13] .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3da00d8 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x132550]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1c0540]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x133f60]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0xe4ee60]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0xe2ee10]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0xdaee00]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0xd8edf0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0xe6eb50]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0xe8eb00]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0xece3a0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0xe0e380]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x29cc50]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x2dcaa0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x35bd30]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0xf0ab60]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x31a920]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x5b9d90]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1f9cb0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 10 bytes JMP 00007ffaa3db0490 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x256c70]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1b6140]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [60, 00] .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0xdc02c0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0xedc900]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 5 bytes [FF, 25, E0, C3, 22] .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0xf1ba30]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0xddb4c0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x208f40]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffaa5ed7490 5 bytes JMP 00007ffaa3db0458 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffaa5ed7550 9 bytes JMP 00007ffaa3db03e8 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x29aa90]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x25a720]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x2d9eb0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffaa5ee6b00 5 bytes JMP 00007ffaa3db0420 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0xf1bb10]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x7f9bb0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x5b3a10]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0xe71080]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x300a30]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x17f0c0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x116940]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x59f030]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x2ee670]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffaa6511500 8 bytes JMP 00007ffaa3db01b8 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffaa6511750 8 bytes JMP 00007ffaa3db01f0 .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ffaa65136c0 6 bytes {JMP QWORD [RIP+0x1fc970]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ffaa6521c90 6 bytes {JMP QWORD [RIP+0x17e3a0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ffaa6521e00 6 bytes {JMP QWORD [RIP+0x15e230]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ffaa6530d30 6 bytes {JMP QWORD [RIP+0x6ff300]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ffaa6530e40 6 bytes {JMP QWORD [RIP+0x18f1f0]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ffaa6537bf0 6 bytes {JMP QWORD [RIP+0x6b8440]} .text C:\Windows\System32\SettingSyncHost.exe[3828] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ffaa6593d30 6 bytes {JMP QWORD [RIP+0x67c300]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffaa5b84260 6 bytes {JMP QWORD [RIP+0x27bdd0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffaa5b923c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffaa5b93390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 6 bytes {JMP QWORD [RIP+0x1673f0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 15] .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x152550]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x190540]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x153f60]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffaa5e648f0 6 bytes {JMP QWORD [RIP+0x2db740]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffaa5e65810 6 bytes {JMP QWORD [RIP+0x33a820]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffaa5e65fa1 5 bytes {JMP QWORD [RIP+0x21a090]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffaa5e66350 6 bytes {JMP QWORD [RIP+0x2b9ce0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffaa5e66670 5 bytes [FF, 25, C0, 99, 25] .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffaa5e6a990 6 bytes {JMP QWORD [RIP+0x3156a0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffaa5e6ac40 6 bytes {JMP QWORD [RIP+0x2753f0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffaa5e6ae80 6 bytes {JMP QWORD [RIP+0x3751b0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffaa5e6af40 6 bytes {JMP QWORD [RIP+0x3550f0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffaa5e6b9a0 6 bytes {JMP QWORD [RIP+0x2f4690]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffaa5e85650 6 bytes {JMP QWORD [RIP+0x21a9e0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffaa5e85881 5 bytes {JMP QWORD [RIP+0x27a7b0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x96afe0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x929e10]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0x181ee60]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0x17fee10]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0x177ee00]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0x175edf0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0x183eb50]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0x185eb00]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0x189e3a0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0x17de380]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffaa5ec1e30 6 bytes {JMP QWORD [RIP+0x13fe200]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x15bcc50]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x15fcaa0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x167bd30]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffaa5ec51c0 6 bytes {JMP QWORD [RIP+0x83ae70]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0x18dab60]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x163a920]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffaa5ec5a40 6 bytes {JMP QWORD [RIP+0x62a5f0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x16b9d90]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1519cb0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 6 bytes {JMP QWORD [RIP+0xa692b0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffaa5ec7420 6 bytes {JMP QWORD [RIP+0x338c10]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffaa5ec7f20 6 bytes {JMP QWORD [RIP+0x7b8110]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffaa5ec80f1 5 bytes {JMP QWORD [RIP+0x7f7f40]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffaa5ec8df0 6 bytes {JMP QWORD [RIP+0x197240]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffaa5ec9130 6 bytes {JMP QWORD [RIP+0x1206f00]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x1576c70]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x13d6140]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffaa5eca480 6 bytes {JMP QWORD [RIP+0x11c5bb0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffaa5ecab20 6 bytes {JMP QWORD [RIP+0xa85510]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffaa5ecae60 6 bytes {JMP QWORD [RIP+0x7951d0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [6F, 01] .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffaa5ecbd50 6 bytes {JMP QWORD [RIP+0x3742e0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0x17902c0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffaa5ed0e50 6 bytes {JMP QWORD [RIP+0x117f1e0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0x18ac900]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 6 bytes {JMP QWORD [RIP+0x154c3e0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0x18eba30]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffaa5ed4690 6 bytes {JMP QWORD [RIP+0x11db9a0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0x17ab4c0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x1528f40]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffaa5ee3990 6 bytes {JMP QWORD [RIP+0xaac6a0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffaa5ee3aa0 6 bytes {JMP QWORD [RIP+0xa8c590]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x15baa90]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffaa5ee5890 6 bytes {JMP QWORD [RIP+0x120a7a0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x157a720]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffaa5ee5b90 6 bytes {JMP QWORD [RIP+0x10ea4a0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x15f9eb0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffaa5ee62c0 6 bytes {JMP QWORD [RIP+0x339d70]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffaa5ee7150 6 bytes {JMP QWORD [RIP+0x1128ee0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffaa5ee7680 6 bytes {JMP QWORD [RIP+0x11489b0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffaa5ee7be1 5 bytes {JMP QWORD [RIP+0x7f8450]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffaa5ee7c10 6 bytes {JMP QWORD [RIP+0x7b8420]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffaa5ef3fa0 6 bytes {JMP QWORD [RIP+0xa1c090]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0x18ebb10]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x1709bb0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffaa5ef66f0 6 bytes {JMP QWORD [RIP+0x1409940]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffaa5ef77a0 6 bytes {JMP QWORD [RIP+0x10b8890]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffaa5ef7820 6 bytes {JMP QWORD [RIP+0x1468810]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffaa5ef7bf0 6 bytes {JMP QWORD [RIP+0xad8440]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x16a3a10]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0x1841080]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x1620a30]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x149f0c0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffaa5f23510 6 bytes {JMP QWORD [RIP+0x13fcb20]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffaa5f23540 6 bytes {JMP QWORD [RIP+0xa8caf0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffaa5f23730 6 bytes {JMP QWORD [RIP+0x145c900]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffaa5f23760 6 bytes {JMP QWORD [RIP+0x106c8d0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x1336940]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffaa5f4ecd0 6 bytes {JMP QWORD [RIP+0x10a1360]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffaa5f50fc0 6 bytes {JMP QWORD [RIP+0x57f070]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x168f030]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffaa5f51540 6 bytes {JMP QWORD [RIP+0x111eaf0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x160e670]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffaa5ad1840 6 bytes {JMP QWORD [RIP+0x30e7f0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffaa5adf610 6 bytes {JMP QWORD [RIP+0x240a20]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffaa5adf620 6 bytes {JMP QWORD [RIP+0x2e0a10]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffaa5adf680 6 bytes {JMP QWORD [RIP+0x2809b0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffaa5b16c50 6 bytes {JMP QWORD [RIP+0x2893e0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffaa5b16e60 6 bytes {JMP QWORD [RIP+0x2291d0]} .text C:\WINDOWS\system32\svchost.exe[5300] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffaa5b22370 6 bytes {JMP QWORD [RIP+0x25dcc0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffaa5b84260 6 bytes {JMP QWORD [RIP+0x27bdd0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffaa5b923c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffaa5b93390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 6 bytes {JMP QWORD [RIP+0x1673f0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 15] .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x152550]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x190540]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x153f60]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffaa5e648f0 6 bytes {JMP QWORD [RIP+0x2db740]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffaa5e65810 6 bytes {JMP QWORD [RIP+0x33a820]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffaa5e65fa1 5 bytes {JMP QWORD [RIP+0x21a090]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffaa5e66350 6 bytes {JMP QWORD [RIP+0x2b9ce0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffaa5e66670 5 bytes [FF, 25, C0, 99, 25] .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffaa5e6a990 6 bytes {JMP QWORD [RIP+0x3156a0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffaa5e6ac40 6 bytes {JMP QWORD [RIP+0x2753f0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffaa5e6ae80 6 bytes {JMP QWORD [RIP+0x3751b0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffaa5e6af40 6 bytes {JMP QWORD [RIP+0x3550f0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffaa5e6b9a0 6 bytes {JMP QWORD [RIP+0x2f4690]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffaa5e85650 6 bytes {JMP QWORD [RIP+0x21a9e0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffaa5e85881 5 bytes {JMP QWORD [RIP+0x27a7b0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x96afe0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x929e10]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0x181ee60]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0x17fee10]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0x177ee00]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0x175edf0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0x183eb50]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0x185eb00]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0x189e3a0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0x17de380]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffaa5ec1e30 6 bytes {JMP QWORD [RIP+0x13fe200]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x15bcc50]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x15fcaa0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x167bd30]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffaa5ec51c0 6 bytes {JMP QWORD [RIP+0x83ae70]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0x18dab60]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x163a920]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffaa5ec5a40 6 bytes {JMP QWORD [RIP+0x62a5f0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x16b9d90]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1519cb0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 6 bytes {JMP QWORD [RIP+0xa692b0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffaa5ec7420 6 bytes {JMP QWORD [RIP+0x338c10]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffaa5ec7f20 6 bytes {JMP QWORD [RIP+0x7b8110]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffaa5ec80f1 5 bytes {JMP QWORD [RIP+0x7f7f40]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffaa5ec8df0 6 bytes {JMP QWORD [RIP+0x197240]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffaa5ec9130 6 bytes {JMP QWORD [RIP+0x1206f00]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x1576c70]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x13d6140]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffaa5eca480 6 bytes {JMP QWORD [RIP+0x11c5bb0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffaa5ecab20 6 bytes {JMP QWORD [RIP+0xa85510]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffaa5ecae60 6 bytes {JMP QWORD [RIP+0x7951d0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [6F, 01] .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffaa5ecbd50 6 bytes {JMP QWORD [RIP+0x3742e0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0x17902c0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffaa5ed0e50 6 bytes {JMP QWORD [RIP+0x117f1e0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0x18ac900]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 6 bytes {JMP QWORD [RIP+0x154c3e0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0x18eba30]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffaa5ed4690 6 bytes {JMP QWORD [RIP+0x11db9a0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0x17ab4c0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x1528f40]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffaa5ee3990 6 bytes {JMP QWORD [RIP+0xaac6a0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffaa5ee3aa0 6 bytes {JMP QWORD [RIP+0xa8c590]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x15baa90]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffaa5ee5890 6 bytes {JMP QWORD [RIP+0x120a7a0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x157a720]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffaa5ee5b90 6 bytes {JMP QWORD [RIP+0x10ea4a0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x15f9eb0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffaa5ee62c0 6 bytes {JMP QWORD [RIP+0x339d70]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffaa5ee7150 6 bytes {JMP QWORD [RIP+0x1128ee0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffaa5ee7680 6 bytes {JMP QWORD [RIP+0x11489b0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffaa5ee7be1 5 bytes {JMP QWORD [RIP+0x7f8450]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffaa5ee7c10 6 bytes {JMP QWORD [RIP+0x7b8420]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffaa5ef3fa0 6 bytes {JMP QWORD [RIP+0xa1c090]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0x18ebb10]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x1709bb0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffaa5ef66f0 6 bytes {JMP QWORD [RIP+0x1409940]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffaa5ef77a0 6 bytes {JMP QWORD [RIP+0x10b8890]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffaa5ef7820 6 bytes {JMP QWORD [RIP+0x1468810]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffaa5ef7bf0 6 bytes {JMP QWORD [RIP+0xad8440]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x16a3a10]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0x1841080]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x1620a30]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x149f0c0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffaa5f23510 6 bytes {JMP QWORD [RIP+0x13fcb20]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffaa5f23540 6 bytes {JMP QWORD [RIP+0xa8caf0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffaa5f23730 6 bytes {JMP QWORD [RIP+0x145c900]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffaa5f23760 6 bytes {JMP QWORD [RIP+0x106c8d0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x1336940]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffaa5f4ecd0 6 bytes {JMP QWORD [RIP+0x10a1360]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffaa5f50fc0 6 bytes {JMP QWORD [RIP+0x57f070]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x168f030]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffaa5f51540 6 bytes {JMP QWORD [RIP+0x111eaf0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x160e670]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffaa5ad1840 6 bytes {JMP QWORD [RIP+0x30e7f0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffaa5adf610 6 bytes {JMP QWORD [RIP+0x240a20]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffaa5adf620 6 bytes {JMP QWORD [RIP+0x2e0a10]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffaa5adf680 6 bytes {JMP QWORD [RIP+0x2809b0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffaa5b16c50 6 bytes {JMP QWORD [RIP+0x2893e0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffaa5b16e60 6 bytes {JMP QWORD [RIP+0x2291d0]} .text C:\WINDOWS\system32\svchost.exe[4244] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffaa5b22370 6 bytes {JMP QWORD [RIP+0x25dcc0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffaa5b84260 6 bytes {JMP QWORD [RIP+0x27bdd0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffaa5b923c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffaa5b93390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!CheckTokenMembership + 1 00007ffaa3df45f1 5 bytes {JMP QWORD [RIP+0x16ba40]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 6 bytes {JMP QWORD [RIP+0x1873f0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 17] .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x172550]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x1b0540]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x173f60]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffaa5e648f0 6 bytes {JMP QWORD [RIP+0x2db740]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffaa5e65810 6 bytes {JMP QWORD [RIP+0x33a820]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffaa5e65fa1 5 bytes {JMP QWORD [RIP+0x21a090]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffaa5e66350 6 bytes {JMP QWORD [RIP+0x2b9ce0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffaa5e66670 5 bytes [FF, 25, C0, 99, 25] .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffaa5e6a990 6 bytes {JMP QWORD [RIP+0x3156a0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffaa5e6ac40 6 bytes {JMP QWORD [RIP+0x2753f0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffaa5e6ae80 6 bytes {JMP QWORD [RIP+0x3751b0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffaa5e6af40 6 bytes {JMP QWORD [RIP+0x3550f0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffaa5e6b9a0 6 bytes {JMP QWORD [RIP+0x2f4690]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffaa5e85650 6 bytes {JMP QWORD [RIP+0x21a9e0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffaa5e85881 5 bytes {JMP QWORD [RIP+0x27a7b0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffaa67f5050 6 bytes {JMP QWORD [RIP+0x96afe0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffaa6816220 6 bytes {JMP QWORD [RIP+0x929e10]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0x181ee60]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0x17fee10]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0x177ee00]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0x175edf0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0x183eb50]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0x185eb00]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0x189e3a0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0x17de380]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffaa5ec1e30 6 bytes {JMP QWORD [RIP+0x13fe200]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x15bcc50]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x15fcaa0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x167bd30]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffaa5ec51c0 6 bytes {JMP QWORD [RIP+0x83ae70]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0x18dab60]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x163a920]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffaa5ec5a40 6 bytes {JMP QWORD [RIP+0x62a5f0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x16b9d90]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x1519cb0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 6 bytes {JMP QWORD [RIP+0xa692b0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffaa5ec7420 6 bytes {JMP QWORD [RIP+0x338c10]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffaa5ec7f20 6 bytes {JMP QWORD [RIP+0x7b8110]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffaa5ec80f1 5 bytes {JMP QWORD [RIP+0x7f7f40]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffaa5ec8df0 6 bytes {JMP QWORD [RIP+0x197240]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffaa5ec9130 6 bytes {JMP QWORD [RIP+0x1206f00]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x1576c70]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x13d6140]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffaa5eca480 6 bytes {JMP QWORD [RIP+0x11c5bb0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffaa5ecab20 6 bytes {JMP QWORD [RIP+0xa85510]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffaa5ecae60 6 bytes {JMP QWORD [RIP+0x7951d0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [6F, 01] .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffaa5ecbd50 6 bytes {JMP QWORD [RIP+0x3742e0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0x17902c0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffaa5ed0e50 6 bytes {JMP QWORD [RIP+0x117f1e0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0x18ac900]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 6 bytes {JMP QWORD [RIP+0x154c3e0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0x18eba30]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffaa5ed4690 6 bytes {JMP QWORD [RIP+0x11db9a0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0x17ab4c0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x1528f40]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffaa5ee3990 6 bytes {JMP QWORD [RIP+0xaac6a0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffaa5ee3aa0 6 bytes {JMP QWORD [RIP+0xa8c590]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x15baa90]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffaa5ee5890 6 bytes {JMP QWORD [RIP+0x120a7a0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x157a720]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffaa5ee5b90 6 bytes {JMP QWORD [RIP+0x10ea4a0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x15f9eb0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffaa5ee62c0 6 bytes {JMP QWORD [RIP+0x339d70]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffaa5ee7150 6 bytes {JMP QWORD [RIP+0x1128ee0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffaa5ee7680 6 bytes {JMP QWORD [RIP+0x11489b0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffaa5ee7be1 5 bytes {JMP QWORD [RIP+0x7f8450]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffaa5ee7c10 6 bytes {JMP QWORD [RIP+0x7b8420]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffaa5ef3fa0 6 bytes {JMP QWORD [RIP+0xa1c090]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0x18ebb10]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x1709bb0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffaa5ef66f0 6 bytes {JMP QWORD [RIP+0x1409940]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffaa5ef77a0 6 bytes {JMP QWORD [RIP+0x10b8890]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffaa5ef7820 6 bytes {JMP QWORD [RIP+0x1468810]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffaa5ef7bf0 6 bytes {JMP QWORD [RIP+0xad8440]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x16a3a10]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0x1841080]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x1620a30]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x149f0c0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffaa5f23510 6 bytes {JMP QWORD [RIP+0x13fcb20]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffaa5f23540 6 bytes {JMP QWORD [RIP+0xa8caf0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffaa5f23730 6 bytes {JMP QWORD [RIP+0x145c900]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffaa5f23760 6 bytes {JMP QWORD [RIP+0x106c8d0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x1336940]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffaa5f4ecd0 6 bytes {JMP QWORD [RIP+0x10a1360]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffaa5f50fc0 6 bytes {JMP QWORD [RIP+0x57f070]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x168f030]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffaa5f51540 6 bytes {JMP QWORD [RIP+0x111eaf0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x160e670]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffaa5ad1840 6 bytes {JMP QWORD [RIP+0x30e7f0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffaa5adf610 6 bytes {JMP QWORD [RIP+0x240a20]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffaa5adf620 6 bytes {JMP QWORD [RIP+0x2e0a10]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffaa5adf680 6 bytes {JMP QWORD [RIP+0x2809b0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffaa5b16c50 6 bytes {JMP QWORD [RIP+0x2893e0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffaa5b16e60 6 bytes {JMP QWORD [RIP+0x2291d0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffaa5b22370 6 bytes {JMP QWORD [RIP+0x25dcc0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffaa628d050 6 bytes {JMP QWORD [RIP+0x232fe0]} .text C:\WINDOWS\system32\svchost.exe[4868] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffaa62b1330 6 bytes {JMP QWORD [RIP+0x1eed00]} .text C:\WINDOWS\system32\svchost.exe[4868] c:\windows\system32\wevtapi.dll!EvtClearLog 00007ffa9e895d90 6 bytes {JMP QWORD [RIP+0x7a2a0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNEL32.DLL!RegOpenKeyExW 00007ffaa5b84260 6 bytes {JMP QWORD [RIP+0x27bdd0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringA 00007ffaa5b923c0 6 bytes {JMP QWORD [RIP+0x16dc70]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNEL32.DLL!GetPrivateProfileStringW 00007ffaa5b93390 6 bytes {JMP QWORD [RIP+0x14cca0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffaa3df8c40 6 bytes {JMP QWORD [RIP+0x1673f0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffaa3df8d06 3 bytes [04, 73, 11] .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffaa3e223e0 5 bytes [FF, 25, 50, DC, 15] .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffaa3e2fcf0 5 bytes JMP 00007ffaa3db00d8 .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffaa3e4dae1 5 bytes {JMP QWORD [RIP+0x152550]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNELBASE.dll!CopyFileExW 00007ffaa3e4faf0 6 bytes {JMP QWORD [RIP+0x190540]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\KERNELBASE.dll!CopyFile2 00007ffaa3e6c0d0 6 bytes {JMP QWORD [RIP+0x153f60]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!SetServiceStatus 00007ffaa5e648f0 6 bytes {JMP QWORD [RIP+0x2db740]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!SubscribeServiceChangeNotifications 00007ffaa5e65810 6 bytes {JMP QWORD [RIP+0x33a820]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW + 1 00007ffaa5e65fa1 5 bytes {JMP QWORD [RIP+0x21a090]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 00007ffaa5e66350 6 bytes {JMP QWORD [RIP+0x2b9ce0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 00007ffaa5e66670 5 bytes [FF, 25, C0, 99, 25] .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 00007ffaa5e6a990 6 bytes {JMP QWORD [RIP+0x3156a0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 00007ffaa5e6ac40 6 bytes {JMP QWORD [RIP+0x2753f0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScValidatePnPService 00007ffaa5e6ae80 6 bytes {JMP QWORD [RIP+0x3751b0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 00007ffaa5e6af40 6 bytes {JMP QWORD [RIP+0x3550f0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!NotifyServiceStatusChange 00007ffaa5e6b9a0 6 bytes {JMP QWORD [RIP+0x2f4690]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 00007ffaa5e85650 6 bytes {JMP QWORD [RIP+0x21a9e0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA + 1 00007ffaa5e85881 5 bytes {JMP QWORD [RIP+0x27a7b0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ffaa5ec11d0 6 bytes {JMP QWORD [RIP+0x17dee60]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetParent 00007ffaa5ec1220 6 bytes {JMP QWORD [RIP+0x17bee10]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ffaa5ec1230 6 bytes {JMP QWORD [RIP+0x173ee00]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendInput 00007ffaa5ec1240 6 bytes {JMP QWORD [RIP+0x171edf0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ffaa5ec14e0 6 bytes {JMP QWORD [RIP+0x17feb50]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ffaa5ec1530 6 bytes {JMP QWORD [RIP+0x181eb00]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ffaa5ec1c90 6 bytes {JMP QWORD [RIP+0x185e3a0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ffaa5ec1cb0 6 bytes {JMP QWORD [RIP+0x179e380]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetLayeredWindowAttributes 00007ffaa5ec1e30 6 bytes {JMP QWORD [RIP+0x13be200]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ffaa5ec33e0 6 bytes {JMP QWORD [RIP+0x157cc50]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ffaa5ec3590 6 bytes {JMP QWORD [RIP+0x15bcaa0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffaa5ec4301 5 bytes {JMP QWORD [RIP+0x163bd30]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetClassNameW 00007ffaa5ec51c0 6 bytes {JMP QWORD [RIP+0x83ae70]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ffaa5ec54d0 6 bytes {JMP QWORD [RIP+0x189ab60]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ffaa5ec5710 6 bytes {JMP QWORD [RIP+0x15fa920]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!UnregisterClassW 00007ffaa5ec5a40 6 bytes {JMP QWORD [RIP+0x62a5f0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ffaa5ec62a0 6 bytes {JMP QWORD [RIP+0x1679d90]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ffaa5ec6380 6 bytes {JMP QWORD [RIP+0x14d9cb0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffaa5ec6d80 6 bytes {JMP QWORD [RIP+0xa692b0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!RegisterClassW 00007ffaa5ec7420 6 bytes {JMP QWORD [RIP+0x338c10]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetClassInfoExW 00007ffaa5ec7f20 6 bytes {JMP QWORD [RIP+0x7b8110]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetClassInfoW + 1 00007ffaa5ec80f1 5 bytes {JMP QWORD [RIP+0x7f7f40]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetShellWindow 00007ffaa5ec8df0 6 bytes {JMP QWORD [RIP+0x197240]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!EnumChildWindows 00007ffaa5ec9130 6 bytes {JMP QWORD [RIP+0x1206f00]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ffaa5ec93c0 6 bytes {JMP QWORD [RIP+0x1536c70]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ffaa5ec9ef0 6 bytes {JMP QWORD [RIP+0x1396140]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!EnumWindows 00007ffaa5eca480 6 bytes {JMP QWORD [RIP+0x11c5bb0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateWindowExA 00007ffaa5ecab20 6 bytes {JMP QWORD [RIP+0xa85510]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!UnregisterClassA 00007ffaa5ecae60 6 bytes {JMP QWORD [RIP+0x7951d0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ffaa5ecb7e0 3 bytes [FF, 25, 50] .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW + 4 00007ffaa5ecb7e4 2 bytes [6B, 01] .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!RegisterClassExW 00007ffaa5ecbd50 6 bytes {JMP QWORD [RIP+0x3742e0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ffaa5ecfd71 5 bytes {JMP QWORD [RIP+0x17502c0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!FindWindowW 00007ffaa5ed0e50 6 bytes {JMP QWORD [RIP+0x117f1e0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ffaa5ed3730 6 bytes {JMP QWORD [RIP+0x186c900]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ffaa5ed3c50 6 bytes {JMP QWORD [RIP+0x150c3e0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ffaa5ed4600 6 bytes {JMP QWORD [RIP+0x18aba30]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!EnumThreadWindows 00007ffaa5ed4690 6 bytes {JMP QWORD [RIP+0x11db9a0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ffaa5ed4b70 6 bytes {JMP QWORD [RIP+0x176b4c0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ffaa5ed70f1 5 bytes {JMP QWORD [RIP+0x14e8f40]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateDialogParamW 00007ffaa5ee3990 6 bytes {JMP QWORD [RIP+0xaac6a0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW 00007ffaa5ee3aa0 6 bytes {JMP QWORD [RIP+0xa8c590]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ffaa5ee55a0 6 bytes {JMP QWORD [RIP+0x157aa90]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!EnumDesktopWindows 00007ffaa5ee5890 6 bytes {JMP QWORD [RIP+0x120a7a0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ffaa5ee5910 6 bytes {JMP QWORD [RIP+0x153a720]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateWindowInBand 00007ffaa5ee5b90 6 bytes {JMP QWORD [RIP+0x10ea4a0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ffaa5ee6180 6 bytes {JMP QWORD [RIP+0x15b9eb0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!RegisterClassA 00007ffaa5ee62c0 6 bytes {JMP QWORD [RIP+0x339d70]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!FindWindowExW 00007ffaa5ee7150 6 bytes {JMP QWORD [RIP+0x1128ee0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!FindWindowExA 00007ffaa5ee7680 6 bytes {JMP QWORD [RIP+0x11489b0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetClassInfoA + 1 00007ffaa5ee7be1 5 bytes {JMP QWORD [RIP+0x7f8450]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetClassInfoExA 00007ffaa5ee7c10 6 bytes {JMP QWORD [RIP+0x7b8420]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetClassNameA 00007ffaa5ef3fa0 6 bytes {JMP QWORD [RIP+0xa1c090]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ffaa5ef4520 6 bytes {JMP QWORD [RIP+0x18abb10]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ffaa5ef6480 6 bytes {JMP QWORD [RIP+0x16c9bb0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamW 00007ffaa5ef66f0 6 bytes {JMP QWORD [RIP+0x13c9940]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW 00007ffaa5ef77a0 6 bytes {JMP QWORD [RIP+0x10b8890]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamW 00007ffaa5ef7820 6 bytes {JMP QWORD [RIP+0x1428810]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!DialogBoxParamW 00007ffaa5ef7bf0 6 bytes {JMP QWORD [RIP+0xad8440]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ffaa5efc620 6 bytes {JMP QWORD [RIP+0x1663a10]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ffaa5efefb0 6 bytes {JMP QWORD [RIP+0x1801080]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ffaa5eff600 6 bytes {JMP QWORD [RIP+0x15e0a30]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ffaa5f20f70 6 bytes {JMP QWORD [RIP+0x145f0c0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamA 00007ffaa5f23510 6 bytes {JMP QWORD [RIP+0x13bcb20]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateDialogParamA 00007ffaa5f23540 6 bytes {JMP QWORD [RIP+0xa8caf0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamA 00007ffaa5f23730 6 bytes {JMP QWORD [RIP+0x141c900]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!DialogBoxParamA 00007ffaa5f23760 6 bytes {JMP QWORD [RIP+0x106c8d0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ffaa5f496f0 6 bytes {JMP QWORD [RIP+0x12f6940]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!CreateWindowIndirect 00007ffaa5f4ecd0 6 bytes {JMP QWORD [RIP+0x10a1360]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!RegisterClassExA 00007ffaa5f50fc0 6 bytes {JMP QWORD [RIP+0x57f070]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ffaa5f51000 6 bytes {JMP QWORD [RIP+0x164f030]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!FindWindowA 00007ffaa5f51540 6 bytes {JMP QWORD [RIP+0x111eaf0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ffaa5f519c0 6 bytes {JMP QWORD [RIP+0x15ce670]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\ADVAPI32.dll!SetServiceStatus 00007ffaa5ad1840 6 bytes {JMP QWORD [RIP+0x30e7f0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherW 00007ffaa5adf610 6 bytes {JMP QWORD [RIP+0x240a20]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerW 00007ffaa5adf620 6 bytes {JMP QWORD [RIP+0x2e0a10]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 00007ffaa5adf680 6 bytes {JMP QWORD [RIP+0x2809b0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00007ffaa5b16c50 6 bytes {JMP QWORD [RIP+0x2893e0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\ADVAPI32.dll!StartServiceCtrlDispatcherA 00007ffaa5b16e60 6 bytes {JMP QWORD [RIP+0x2291d0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\system32\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00007ffaa5b22370 6 bytes {JMP QWORD [RIP+0x25dcc0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffaa628d050 6 bytes {JMP QWORD [RIP+0x232fe0]} .text C:\WINDOWS\system32\svchost.exe[4336] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffaa62b1330 6 bytes {JMP QWORD [RIP+0x1eed00]} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\lsass.exe[764] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\lsass.exe[764] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\lsass.exe[764] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[892] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\Comctl32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[996] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[996] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[996] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[996] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[588] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[588] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[588] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[668] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[668] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[668] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[668] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[668] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[948] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[948] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[948] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[948] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1112] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1112] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1112] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1112] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1112] @ c:\windows\system32\RASDLG.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1112] @ C:\WINDOWS\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1284] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1284] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1284] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\spoolsv.exe[1568] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\spoolsv.exe[1568] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\spoolsv.exe[1568] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\spoolsv.exe[1568] @ C:\WINDOWS\System32\localspl.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\spoolsv.exe[1568] @ C:\WINDOWS\System32\PrintIsolationProxy.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\spoolsv.exe[1568] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\spoolsv.exe[1568] @ C:\WINDOWS\system32\spool\PRTPROCS\x64\winprint.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1592] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1592] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1592] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1592] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1592] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1708] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\AdminService.exe[1724] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\AdminService.exe[1724] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\AdminService.exe[1724] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\AdminService.exe[1724] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\AdminService.exe[1724] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\comctl32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Bonjour\mDNSResponder.exe[1760] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Bonjour\mDNSResponder.exe[1760] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Bonjour\mDNSResponder.exe[1760] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1820] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1820] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[1820] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\dashost.exe[1848] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\dashost.exe[1848] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\dashost.exe[1848] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\dashost.exe[1848] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\SYSTEM32\mfc100.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1952] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1968] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\SYSTEM32\mfc100.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1272] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1928] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1928] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1928] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1928] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[1928] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\SYSTEM32\mfc100.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1128] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[2336] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[2336] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[2336] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2788] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2788] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2788] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\SYSTEM32\mfc100.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2904] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3784] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3980] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3980] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3980] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3980] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\SearchIndexer.exe[3980] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iPod\bin\iPodService.exe[4392] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iPod\bin\iPodService.exe[4392] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iPod\bin\iPodService.exe[4392] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[5888] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[5888] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\svchost.exe[5888] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5360] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\System32\dwm.exe[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\System32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\System32\dwm.exe[6404] @ C:\WINDOWS\System32\uDWM.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18405_none_932a3cf14750e859\gdiplus.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1556] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\Windows\System32\Dxtrans.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\Windows\System32\ddrawex.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\Windows\System32\DDRAW.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\nvvsvc.exe[5940] @ C:\Windows\System32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\taskhostex.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\Comctl32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\twinui.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18405_none_932a3cf14750e859\gdiplus.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\authui.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__pctype_func] [d00420000002e] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___lc_codepage_func] [690072004f0001] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!isspace] [61006e00690067] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_CxxThrowException] [6c00690046006c] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@XZ] [6d0061006e0065] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!setlocale] [69006200000065] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_onexit] [72007000730074] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__CxxFrameHandler3] [64002e00370078] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_callnewh] [6c006c] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__uncaught_exception] [5000010025006a] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_unlock] [750064006f0072] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_lock] [61004e00740063] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!?terminate@@YAXXZ] [65006d] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [7200630069004d] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_errno] [66006f0073006f] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___lc_handle_func] [57002000ae0074] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memcpy] [6f0064006e0069] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!malloc] [2000ae00730077] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__crtLCMapStringW] [7200650070004f] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!realloc] [6e006900740061] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!strchr] [79005300200067] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_initterm] [f004200000000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_amsg_exit] [6f007200500001] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!wctob] [74006300750064] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__dllonexit] [73007200650056] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_XcptFilter] [6e006f0069] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memchr] [2e0037002e0037] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!strerror] [30003000360039] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!calloc] [3400370031002e] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!abort] [350031] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__crtCompareStringW] [56000100000044] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [69004600720061] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___lc_collate_cp_func] [6e00490065006c] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___mb_cur_max_func] [6f0066] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_wcsnicmp] [54000000040024] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!tolower] [73006e00610072] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!wcstoul] [6900740061006c] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_vsnwprintf] [6e006f] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!swscanf] [4b00409] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_wcsicmp] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_purecall] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0bad_cast@@QEAA@PEBD@Z] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??1bad_cast@@UEAA@XZ] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0bad_cast@@QEAA@AEBV0@@Z] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!wcschr] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!toupper] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??_V@YAXPEAX@Z] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!free] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memmove] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??1exception@@UEAA@XZ] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??3@YAXPEAX@Z] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memset] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!AppendUserLanguages] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47FromHkl] [1000000000000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!GetUserLanguageInputMethods] [8000001800000010] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47FromLcid] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!AppendUserLanguageInputMethods] [1000000000000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47IsWellFormed] [8000003000000001] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!LcidFromBcp47] [0] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47GetNlsForm] [1000000000000] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!CompactTagFromBcp47Internal] [4800000409] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[USER32.dll!GetKeyboardLayout] [450056005f0053] IAT C:\WINDOWS\Explorer.EXE[1980] @ C:\WINDOWS\system32\UIRibbon.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\Windows\System32\skydrive.exe[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\Windows\System32\DUI70.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\Windows\System32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\skydrive.exe[4696] @ C:\Windows\System32\DUser.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18405_none_932a3cf14750e859\gdiplus.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[7012] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe[2016] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[6376] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18405_none_932a3cf14750e859\gdiplus.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\SYSTEM32\oledlg.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5980] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\SYSTEM32\oledlg.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18405_none_932a3cf14750e859\gdiplus.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\SYSTEM32\OPENGL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\SYSTEM32\DDRAW.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1004] @ C:\WINDOWS\SYSTEM32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.18405_none_932a3cf14750e859\gdiplus.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\comctl32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\rundll32.exe[1108] @ C:\WINDOWS\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxtray.exe[4088] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxtray.exe[4088] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxtray.exe[4088] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxtray.exe[4088] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxtray.exe[4088] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxtray.exe[4088] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxtray.exe[4088] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\OPENGL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\DDRAW.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\igfxsrvc.exe[6296] @ C:\WINDOWS\system32\DCIMAN32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\hkcmd.exe[4212] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\hkcmd.exe[4212] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\hkcmd.exe[4212] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\hkcmd.exe[4212] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\hkcmd.exe[4212] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\hkcmd.exe[4212] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\hkcmd.exe[4212] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxpers.exe[5152] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxpers.exe[5152] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxpers.exe[5152] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxpers.exe[5152] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxpers.exe[5152] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxpers.exe[5152] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\igfxpers.exe[5152] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_34ae2abd958aedeb\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files\iTunes\iTunesHelper.exe[3000] @ C:\WINDOWS\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe[1840] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\SettingSyncHost.exe[3828] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\SettingSyncHost.exe[3828] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\SettingSyncHost.exe[3828] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\SettingSyncHost.exe[3828] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\SettingSyncHost.exe[3828] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\SettingSyncHost.exe[3828] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\Comctl32.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\Windows\System32\SettingSyncHost.exe[3828] @ C:\Windows\System32\wlidcli.dll[GDI32.dll!DeleteDC] [7ffaa6660000] IAT C:\WINDOWS\system32\svchost.exe[5300] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[5300] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[5300] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4244] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4244] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4244] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4868] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4868] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4868] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4336] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4336] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffaa7100000] IAT C:\WINDOWS\system32\svchost.exe[4336] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffaa7100000] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [3888:6824] fffff9600098f2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 170322294 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 8127 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 16474 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 620 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 909 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 8750 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 147 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 219 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 522 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 9117 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 309 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 220 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeMapTime 12 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAllocateTime 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 9659 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 9706 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 15210 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 9700 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 16348 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 4353 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 3276 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 16468 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 5495 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 1614 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 1109 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 77 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 370697 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x00 0xB6 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 23235 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xB6 0x26 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 110 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 29 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 114 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 66 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FileRuns 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 2461 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 494 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x9D 0xF0 0x8B 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6c71d982d1b2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{369FA5FD-5E22-48FC-90DD-452122368342}@DefunctTimestamp 0x11 0xFD 0xF0 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 23874 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 11318 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B50D8C71-E568-4910-8E2C-AA8C19694681}@LeaseObtainedTime 1475411216 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B50D8C71-E568-4910-8E2C-AA8C19694681}@T1 1475454416 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B50D8C71-E568-4910-8E2C-AA8C19694681}@T2 1475486816 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B50D8C71-E568-4910-8E2C-AA8C19694681}@LeaseTerminatesTime 1475497616 Reg HKLM\SYSTEM\CurrentControlSet\Services\UmPass\Parameters\Wdf@TimeOfLastSqmLog 0x0D 0x4F 0x5B 0x6A ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 2659 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Logo100 %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheLogo-4432390_100.dat Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xF4 0xD4 0x07 0xD6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x59 0x48 0x13 0xD6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x59 0x48 0x13 0xD6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x59 0x48 0x13 0xD6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalBandwidthBucketDrainTime 0x82 0x5F 0x55 0x72 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x59 0x48 0x13 0xD6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudUsertileDirtyMarks 60 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudSettingsDirtyMarks 60 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x88 0x97 0xEB 0x88 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO\COMODO Internet Security\COMODO Internet Security.lnk?C:\Program Files\COMODO\COMODO Internet Security\cistray.exe?--shortcut? Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_HostProblem_46703f7552a24a3eb24d12a0c4196baeee9bf0_00000000_08c99597 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0xC6 0x03 0x0B 0x00 ... ---- EOF - GMER 2.2 ----