GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2015-01-30 12:30:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000079 ST310005 rev.JC45 931,51GB Running: m57g1hli.exe; Driver: C:\Users\Ziggy\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, F0, 12, 84, 01] .text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36ad9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36b71 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36c09 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1232] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefed64ea1 11 bytes [B8, 79, E5, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefed655c8 12 bytes [48, B8, B9, 6C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefed7b85c 12 bytes [48, B8, F9, 6A, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefed7b9d0 12 bytes [48, B8, 79, 60, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefed7ba3c 12 bytes [48, B8, B9, 5E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1396] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefd0356e0 12 bytes [48, B8, F9, C5, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefd04010c 12 bytes [48, B8, 39, C4, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1396] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefd05daa0 12 bytes [48, B8, 79, C2, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[1436] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefed64ea1 11 bytes [B8, 39, E7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefed655c8 12 bytes [48, B8, B9, 6C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefed7b85c 12 bytes [48, B8, F9, 6A, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefed7b9d0 12 bytes [48, B8, 79, 60, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefed7ba3c 12 bytes [48, B8, B9, 5E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefdfcdc81 11 bytes [B8, 79, 8A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\msi.dll!MsiDecomposeDescriptorW + 157 000007fef47c3e45 11 bytes [B8, 79, EC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\msi.dll!MsiQueryProductStateA + 1 000007fef4842659 11 bytes [B8, 79, 4B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\msi.dll!MsiInstallProductA + 1 000007fef4842ad5 11 bytes [B8, F9, 47, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\msi.dll!MsiQueryProductStateW + 1 000007fef4851311 11 bytes [B8, 39, 4D, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\msi.dll!MsiInstallProductW + 1 000007fef485167d 11 bytes [B8, B9, 49, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\msi.dll!MsiOpenDatabaseW + 1 000007fef4869cf1 11 bytes [B8, 39, 46, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\msi.dll!MsiOpenDatabaseA + 1 000007fef4869f1d 11 bytes [B8, 79, 44, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefd0356e0 12 bytes [48, B8, F9, C5, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefd04010c 12 bytes [48, B8, 39, C4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefd05daa0 12 bytes [48, B8, 79, C2, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefd0356e0 12 bytes [48, B8, F9, C5, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefd04010c 12 bytes [48, B8, 39, C4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefd05daa0 12 bytes [48, B8, 79, C2, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefed64ea1 11 bytes [B8, 39, E7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefed655c8 12 bytes [48, B8, B9, 6C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefed7b85c 12 bytes [48, B8, F9, 6A, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefed7b9d0 12 bytes [48, B8, 79, 60, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefed7ba3c 12 bytes [48, B8, B9, 5E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1716] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefd0356e0 12 bytes [48, B8, F9, C5, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefd04010c 12 bytes [48, B8, 39, C4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1716] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefd05daa0 12 bytes [48, B8, 79, C2, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefd0356e0 12 bytes [48, B8, F9, C5, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefd04010c 12 bytes [48, B8, 39, C4, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefd05daa0 12 bytes [48, B8, 79, C2, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[1876] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefed64ea1 11 bytes [B8, 39, E7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefed655c8 12 bytes [48, B8, B9, 6C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefed7b85c 12 bytes [48, B8, F9, 6A, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefed7b9d0 12 bytes [48, B8, 79, 60, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefed7ba3c 12 bytes [48, B8, B9, 5E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2060] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, D9, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, C5, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, C4, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, DA, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, DC, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, 01, 1B, 75] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, EC, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, FF, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, F3, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, EF, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, E8, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, CB, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, C9, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, C7, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, E5, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, D9, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, C5, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, C4, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, DA, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, DC, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, 01, 1B, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, EC, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, FF, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, F3, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, EF, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, E8, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, CB, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, C9, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, C7, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, E5, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, C2, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, C0, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, BE, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, FC, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, A8, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, BD, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, AB, 1A, 75, 00] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, A9, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, F5, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, FA, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, F8, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 0000000076f52b3c 12 bytes [48, B8, B9, 65, 1A, 75, 00, ...] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2240] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 0000000076f6b25d 11 bytes [B8, F9, 63, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000757b1401 2 bytes JMP 7509b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000757b1419 2 bytes JMP 7509b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000757b1431 2 bytes JMP 75118ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000757b144a 2 bytes CALL 750748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757b14dd 2 bytes JMP 751187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757b14f5 2 bytes JMP 75118978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000757b150d 2 bytes JMP 75118698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000757b1525 2 bytes JMP 75118a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000757b153d 2 bytes JMP 7508fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000757b1555 2 bytes JMP 750968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000757b156d 2 bytes JMP 75118f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000757b1585 2 bytes JMP 75118ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000757b159d 2 bytes JMP 7511865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757b15b5 2 bytes JMP 7508fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757b15cd 2 bytes JMP 7509b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757b16b2 2 bytes JMP 75118e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757b16bd 2 bytes JMP 751185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36ad9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36b71 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36c09 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35579 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef354e1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36619 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef34dc1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef367e1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef36879 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef36749 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef34e59 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2456] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef34ef1 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefed64ea1 11 bytes [B8, F9, EF, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefed655c8 12 bytes [48, B8, B9, 6C, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefed7b85c 12 bytes [48, B8, F9, 6A, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefed7b9d0 12 bytes [48, B8, 79, 60, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2480] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefed7ba3c 12 bytes [48, B8, B9, 5E, 1A, 75, 00, ...] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36ad9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36b71 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36c09 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000074ca17fa 2 bytes CALL 750711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074ca1860 2 bytes CALL 750711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074ca1942 2 bytes JMP 76b57089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000074ca194d 2 bytes JMP 76b5cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35579 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef354e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36619 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef34dc1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef367e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef36879 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef36749 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef34e59 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef34ef1 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000757b1401 2 bytes JMP 7509b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000757b1419 2 bytes JMP 7509b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000757b1431 2 bytes JMP 75118ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000757b144a 2 bytes CALL 750748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757b14dd 2 bytes JMP 751187a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757b14f5 2 bytes JMP 75118978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000757b150d 2 bytes JMP 75118698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000757b1525 2 bytes JMP 75118a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000757b153d 2 bytes JMP 7508fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000757b1555 2 bytes JMP 750968ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000757b156d 2 bytes JMP 75118f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000757b1585 2 bytes JMP 75118ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000757b159d 2 bytes JMP 7511865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757b15b5 2 bytes JMP 7508fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757b15cd 2 bytes JMP 7509b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757b16b2 2 bytes JMP 75118e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757b16bd 2 bytes JMP 751185f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, F0, 12, A4, 01] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2636] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007727b7e1 11 bytes [B8, F0, 12, 9D, 00, 00, 00, ...] .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36ad9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36b71 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36c09 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35579 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef354e1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36619 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef34dc1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef367e1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef36879 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef36749 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef34e59 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef34ef1 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\DNSAPI.dll!DnsQuery_UTF8 0000000071d680d2 5 bytes JMP 000000007ef35f91 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\DNSAPI.dll!DnsQuery_W 0000000071d7572c 5 bytes JMP 000000007ef35ef9 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\DNSAPI.dll!DnsQuery_A 0000000071d8a9b0 5 bytes JMP 000000007ef35e61 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 0000000071c413b0 2 bytes JMP 75ad5660 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 20 0000000071c413c0 2 bytes CALL 76d79cee C:\Windows\syswow64\msvcrt.dll .text ... * 20 .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 0000000071c4153e 2 bytes CALL 75b6777c C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 0000000071c41553 2 bytes CALL 750710ff C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\vmnat.exe[2692] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefed64ea1 11 bytes [B8, F9, EF, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefed655c8 12 bytes [48, B8, B9, 6C, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefed7b85c 12 bytes [48, B8, F9, 6A, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefed7b9d0 12 bytes [48, B8, 79, 60, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefed7ba3c 12 bytes [48, B8, B9, 5E, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefd0356e0 12 bytes [48, B8, F9, C5, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefd04010c 12 bytes [48, B8, 39, C4, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefd05daa0 12 bytes [48, B8, 79, C2, 1A, 75, 00, ...] .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef36619 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef36029 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35f91 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef366b1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef36749 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef37291 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36f01 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36ca1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef36581 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef36b71 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36dd1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef36a41 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef36159 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef360c1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef361f1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35ef9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef35e61 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36f99 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef35741 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef37161 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef371f9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef370c9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef357d9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef35871 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef374f1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef37589 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000757b1401 2 bytes JMP 7509b21b C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000757b1419 2 bytes JMP 7509b346 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000757b1431 2 bytes JMP 75118ea9 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000757b144a 2 bytes CALL 750748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757b14dd 2 bytes JMP 751187a2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757b14f5 2 bytes JMP 75118978 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000757b150d 2 bytes JMP 75118698 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000757b1525 2 bytes JMP 75118a62 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000757b153d 2 bytes JMP 7508fca8 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000757b1555 2 bytes JMP 750968ef C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000757b156d 2 bytes JMP 75118f61 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000757b1585 2 bytes JMP 75118ac2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000757b159d 2 bytes JMP 7511865c C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757b15b5 2 bytes JMP 7508fd41 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757b15cd 2 bytes JMP 7509b2dc C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757b16b2 2 bytes JMP 75118e24 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757b16bd 2 bytes JMP 751185f1 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef35909 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef363b9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef37621 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef359a1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef36289 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef36321 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef35a39 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef373c1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35dc9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef37329 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef35d31 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef35b69 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef36451 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35ad1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 5 bytes JMP 000000007ef35c01 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35c99 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000076c916bc 5 bytes JMP 000000007ef321d1 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000076c956bb 5 bytes JMP 000000007ef34149 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000076ce15d0 5 bytes JMP 000000007ef32ab9 .text D:\Program Files (x86)\VMware\vmware-authd.exe[2956] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefd0356e0 12 bytes [48, B8, F9, C5, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefd04010c 12 bytes [48, B8, 39, C4, 1A, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2996] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefd05daa0 12 bytes [48, B8, 79, C2, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3024] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, F9, 55, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, 5C, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, 5B, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, B9, 5E, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, 79, 60, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, 75, 1A, 75] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 39, 69, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, 73, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 39, 70, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, B9, 6C, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, B9, 65, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 79, 4B, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, 39, 46, 1A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 79, 44, 1A, 75, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, 39, 4D, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, F9, 47, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, B9, 49, 1A, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36ad9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36b71 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36c09 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35579 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef354e1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36619 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef34dc1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef367e1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef36879 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef36749 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef34e59 .text C:\Windows\SysWOW64\vmnetdhcp.exe[3344] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef34ef1 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, D9, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, C5, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, C4, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, DA, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, DC, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, 01, 1B, 75] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, EC, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, FF, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, F3, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, EF, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, E8, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, CB, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, C9, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, C7, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, E5, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, C2, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, C0, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, BE, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, FC, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, A8, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, BD, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, AB, 1A, 75, 00] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, A9, 1A, 75, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, F5, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, FA, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[3364] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, F8, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, D9, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, C5, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, C4, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, DA, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, DC, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, 01, 1B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, EC, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, FF, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, F3, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, EF, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, E8, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, CB, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, C9, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, C7, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, E5, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3580] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36ad9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36b71 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36c09 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35579 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef354e1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36619 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef34dc1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef367e1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef36879 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef36749 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef34e59 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef34ef1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe[3660] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef36619 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef36029 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35f91 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef366b1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef36749 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef37291 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36f01 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36ca1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef36b71 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36dd1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef36159 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef37459 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef363b9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 1 byte JMP 000000007ef374f1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 2 00000000756cb6ef 3 bytes {JMP 0x986be04} .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef36289 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef373c1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef37329 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef35b69 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef37589 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!closesocket 0000000076b53918 5 bytes JMP 000000007ef35ef9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef35e61 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!socket 0000000076b53eb8 5 bytes JMP 000000007ef36f99 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!recv 0000000076b56b0e 5 bytes JMP 000000007ef37161 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!WSARecv 0000000076b57089 5 bytes JMP 000000007ef371f9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef370c9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\WS2_32.DLL!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef35871 .text C:\Program Files (x86)\ScreenShooter\screenshooter.exe[3720] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\igfxsrvc.exe[3728] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077572b80 6 bytes [48, B8, 79, E5, 1A, 75] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077572b88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36ad9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35579 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef354e1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36619 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef34dc1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef367e1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef36879 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef36749 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef34e59 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef34ef1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36c09 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36ca1 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4236] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[4340] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef356a9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35611 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef36911 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef35871 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef36ad9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef34f89 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef36b71 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef35021 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef350b9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35449 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef369a9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef353b1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef351e9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35151 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 000000007ef35281 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [81, 09] .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35319 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef36c09 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35579 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef354e1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36619 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef34dc1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef367e1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef36879 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef36749 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef34e59 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef34ef1 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4516] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef36619 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef36029 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35f91 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef366b1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef36749 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef37291 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36f01 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36ca1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef36b71 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36dd1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef36159 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef37459 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef363b9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 1 byte JMP 000000007ef374f1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 2 00000000756cb6ef 3 bytes {JMP 0x986be04} .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef36289 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef373c1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef37329 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef35b69 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef37589 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35ef9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef35e61 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36f99 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef37161 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef371f9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef370c9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef35871 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe[4492] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef36619 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef36029 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35f91 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef366b1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef36749 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef37291 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36f01 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36ca1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef36581 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef36b71 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36dd1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef36a41 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef36159 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef360c1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef361f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef37459 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef35909 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef363b9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 1 byte JMP 000000007ef374f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 2 00000000756cb6ef 3 bytes {JMP 0x986be04} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef359a1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef36289 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef36321 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef35a39 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef373c1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35dc9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef37329 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef35d31 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef35b69 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef36451 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35ad1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 5 bytes JMP 000000007ef35c01 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35c99 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef37589 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4704] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef36619 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef36029 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35f91 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef366b1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef36749 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef37291 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36f01 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36ca1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef36581 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef36b71 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36dd1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef36a41 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef36159 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef360c1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef361f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef37459 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef374f1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef35909 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef363b9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef37589 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef359a1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef36289 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef36321 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef35a39 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef373c1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35dc9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef37329 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef35d31 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef35b69 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef36451 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35ad1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 5 bytes JMP 000000007ef35c01 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35c99 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35ef9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef35e61 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36f99 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef35741 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef37161 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef371f9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef370c9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef357d9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef35871 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000076c916bc 5 bytes JMP 000000007ef321d1 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000076c956bb 5 bytes JMP 000000007ef34149 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000076ce15d0 5 bytes JMP 000000007ef32ab9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2432] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075a70179 5 bytes JMP 000000007ef34d29 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 000000007ef36619 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 000000007ef36029 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 000000007ef331d9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 000000007ef315f1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 000000007ef31689 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 000000007ef35f91 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 000000007ef330a9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 000000007ef33309 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 000000007ef33271 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 000000007ef32ee1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 000000007ef32db1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 000000007ef31ed9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 000000007ef32301 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 000000007ef32e49 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 000000007ef32d19 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 000000007ef366b1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 000000007ef34ac9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 000000007ef33141 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 000000007ef36749 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 000000007ef33439 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 000000007ef333a1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 000000007ef37291 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 000000007ef31ab1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 000000007ef32009 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 000000007ef34b61 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 000000007ef31f71 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 000000007ef31da9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 000000007ef32a21 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 000000007ef325f9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 000000007ef33011 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 000000007ef36f01 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 000000007ef36ca1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 000000007ef32729 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 000000007ef36581 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 000000007ef36b71 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 000000007ef36dd1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 000000007ef328f1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 000000007ef346a1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 000000007ef347d1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 000000007ef34901 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 000000007ef34a31 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 000000007ef31a19 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 000000007ef33b59 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 000000007ef33601 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 000000007ef32399 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 000000007ef31e41 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 000000007ef36a41 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 000000007ef33ac1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 000000007ef33a29 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 000000007ef31981 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 000000007ef324c9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 000000007ef36159 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 000000007ef360c1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 000000007ef361f1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 000000007ef318e9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 000000007ef32269 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 000000007ef32431 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 000000007ef33569 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 000000007ef32c81 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 000000007ef327c1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 000000007ef34441 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 000000007ef343a9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 000000007ef35909 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 000000007ef363b9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 000000007ef37459 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 000000007ef359a1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 000000007ef334d1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 000000007ef36289 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 000000007ef36321 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 000000007ef34571 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 000000007ef35a39 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 000000007ef373c1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 000000007ef35dc9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 000000007ef37329 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 000000007ef344d9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 000000007ef34bf9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 000000007ef32be9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 000000007ef35d31 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 000000007ef32b51 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 000000007ef35b69 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 000000007ef34c91 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 000000007ef36451 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 000000007ef35ad1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 5 bytes JMP 000000007ef35c01 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 000000007ef35c99 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 000000007ef374f1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 000000007ef31be1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 000000007ef31b49 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 000000007ef33c89 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 000000007ef33bf1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 000000007ef340b1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 000000007ef37589 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 000000007ef34311 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 000000007ef33e51 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 000000007ef33ee9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 000000007ef33f81 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 000000007ef34019 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 000000007ef33d21 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 000000007ef33db9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 000000007ef34279 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076b53918 5 bytes JMP 000000007ef35ef9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076b53cd3 5 bytes JMP 000000007ef35e61 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!socket 0000000076b53eb8 5 bytes JMP 000000007ef36f99 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076b54406 5 bytes JMP 000000007ef32139 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076b54889 5 bytes JMP 000000007ef35741 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!recv 0000000076b56b0e 5 bytes JMP 000000007ef37161 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!connect 0000000076b56bdd 1 byte JMP 000000007ef341e1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076b56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!send 0000000076b56f01 5 bytes JMP 000000007ef320a1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076b57089 5 bytes JMP 000000007ef371f9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076b5cc3f 5 bytes JMP 000000007ef370c9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 0000000076b5d1ea 5 bytes JMP 000000007ef357d9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5128] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076b67673 5 bytes JMP 000000007ef35871 .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000775592d1 5 bytes [B8, 39, 69, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000775592d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775713a0 6 bytes [48, B8, 39, BD, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000775713a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077571470 6 bytes [48, B8, F9, A9, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077571478 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077571510 6 bytes [48, B8, F9, 32, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077571518 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077571530 6 bytes [48, B8, 39, 1C, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077571538 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077571550 6 bytes [48, B8, F9, 1D, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077571558 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077571570 6 bytes [48, B8, 39, A8, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077571578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077571650 6 bytes [48, B8, 79, 2F, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077571658 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077571670 6 bytes [48, B8, 79, 36, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077571678 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077571700 6 bytes [48, B8, B9, 34, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077571708 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077571780 6 bytes [48, B8, 39, 2A, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077571788 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077571790 6 bytes [48, B8, B9, 26, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077571798 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077571cd0 6 bytes [48, B8, 79, 28, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077571cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077571d30 6 bytes [48, B8, F9, 24, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077571d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775720a0 6 bytes [48, B8, F9, BE, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000775720a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000775725e0 6 bytes [48, B8, 79, 83, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000775725e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775727e0 6 bytes [48, B8, 39, 31, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000775727e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775729a0 6 bytes [48, B8, B9, C0, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000775729a8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077572a80 6 bytes [48, B8, 79, 3D, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077572a88 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077572a90 6 bytes [48, B8, B9, 3B, 1A, 75] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077572a98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000775e3201 11 bytes [B8, 39, 85, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007fefed64ea1 11 bytes [B8, 39, E7, 1A, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefed655c8 12 bytes [48, B8, B9, 6C, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefed7b85c 12 bytes [48, B8, F9, 6A, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefed7b9d0 12 bytes [48, B8, 79, 60, 1A, 75, 00, ...] .text C:\Windows\system32\svchost.exe[5168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefed7ba3c 12 bytes [48, B8, B9, 5E, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 12 bytes [48, B8, B9, 81, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 12 bytes [48, B8, 39, 7E, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1f13b1 11 bytes [B8, 79, A6, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1f18e0 12 bytes [48, B8, B9, A4, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff1f1bd1 11 bytes [B8, F9, A2, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff1f2201 11 bytes [B8, 39, E0, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1f23c0 12 bytes [48, B8, 39, 8C, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!connect 000007feff1f45c0 12 bytes [48, B8, 79, 67, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!send + 1 000007feff1f8001 11 bytes [B8, 39, A1, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff1f8df0 7 bytes [48, B8, B9, 8F, 1A, 75, 00] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff1f8df9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff1fc090 12 bytes [48, B8, F9, 8D, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff1fde91 11 bytes [B8, 39, D9, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff1fdf41 11 bytes [B8, 79, DE, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff21e0f1 11 bytes [B8, B9, DC, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 0000000076f52b3c 12 bytes [48, B8, B9, 65, 1A, 75, 00, ...] .text C:\Windows\System32\svchost.exe[5260] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 0000000076f6b25d 11 bytes [B8, F9, 63, 1A, 75, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000771e1b21 11 bytes [B8, 79, BB, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000771e1c10 12 bytes [48, B8, F9, 39, 57, 70, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000771e2b61 8 bytes [B8, 79, D0, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000771e2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771fdb80 12 bytes [48, B8, B9, 2D, 57, 70, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077200931 11 bytes [B8, B9, E3, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000772352f1 11 bytes [B8, B9, 7A, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077235311 11 bytes [B8, 39, 77, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007724a5e0 4 bytes [48, B8, B9, 81] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!ReadConsoleW + 5 000000007724a5e5 7 bytes [70, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007724a6f0 4 bytes [48, B8, 39, 7E] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!ReadConsoleA + 5 000000007724a6f5 7 bytes [70, 00, 00, 00, 00, 50, C3] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007726f491 11 bytes [B8, 79, D7, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007726f691 11 bytes [B8, F9, D3, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007726f6c1 8 bytes [B8, F9, CC, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007726f6ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefdb11861 11 bytes [B8, 79, 52, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefdb12db1 11 bytes [B8, 39, AF, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefdb13461 11 bytes [B8, F9, B0, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdb18ef0 12 bytes [48, B8, 79, AD, 57, 70, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefdb194c0 12 bytes [48, B8, B9, 50, 57, 70, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefdb1bfd1 11 bytes [B8, B9, AB, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefdb22af1 11 bytes [B8, F9, 4E, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefdb44350 12 bytes [48, B8, B9, 42, 57, 70, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefdb50c11 11 bytes [B8, 79, C9, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefdb52871 8 bytes [B8, 39, 23, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefdb5287a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefdb528b1 11 bytes [B8, F9, 40, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefde8642d 11 bytes [B8, 39, 5B, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefde86484 12 bytes [48, B8, F9, 55, 57, 70, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefde86519 11 bytes [B8, 39, 62, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefde86c34 12 bytes [48, B8, 39, 54, 57, 70, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefde87ab5 11 bytes [B8, F9, 5C, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefde88b01 11 bytes [B8, B9, 57, 57, 70, 00, 00, ...] .text C:\Windows\System32\svchost.exe[5288] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefde88c39 11 bytes [B8, 79, 59, 57, 70, 00, 00, ...] .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007771f8f0 5 bytes JMP 00000001706b6619 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007771f9e0 5 bytes JMP 00000001706b5c99 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007771fb28 5 bytes JMP 00000001706b56a9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007771fc20 5 bytes JMP 00000001706b31d9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007771fc50 5 bytes JMP 00000001706b15f1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007771fc80 5 bytes JMP 00000001706b1689 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fcb0 5 bytes JMP 00000001706b5611 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fe14 5 bytes JMP 00000001706b30a9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007771fe44 5 bytes JMP 00000001706b3309 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007771ff24 5 bytes JMP 00000001706b3271 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007771ffec 5 bytes JMP 00000001706b2ee1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077720004 5 bytes JMP 00000001706b2db1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777200b4 5 bytes JMP 00000001706b1ed9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777201c4 5 bytes JMP 00000001706b2301 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077720814 5 bytes JMP 00000001706b2e49 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777208a4 5 bytes JMP 00000001706b2d19 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720df4 5 bytes JMP 00000001706b5d31 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077721604 5 bytes JMP 00000001706b4ac9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721920 5 bytes JMP 00000001706b3141 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721be4 5 bytes JMP 00000001706b5dc9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 0000000077721d54 5 bytes JMP 00000001706b3439 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d70 5 bytes JMP 00000001706b33a1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077721ee8 5 bytes JMP 00000001706b69a9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000777388c4 5 bytes JMP 00000001706b1ab1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077760d3b 5 bytes JMP 00000001706b2009 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000777a860f 5 bytes JMP 00000001706b4b61 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000777ae8ab 5 bytes JMP 00000001706b1f71 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000075070e00 5 bytes JMP 00000001706b1da9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075071072 5 bytes JMP 00000001706b2a21 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 000000007507499f 5 bytes JMP 00000001706b25f9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075083bbb 5 bytes JMP 00000001706b3011 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075089aa4 5 bytes JMP 00000001706b6581 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075089b05 5 bytes JMP 00000001706b6321 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075097327 5 bytes JMP 00000001706b2729 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000750988da 5 bytes JMP 00000001706b5c01 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileExA 000000007509ccb1 5 bytes JMP 00000001706b61f1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007509ccd1 5 bytes JMP 00000001706b6451 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!WinExec 00000000750f2ff1 5 bytes JMP 00000001706b28f1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007511748b 5 bytes JMP 00000001706b46a1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000751174ae 5 bytes JMP 00000001706b47d1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075117859 5 bytes JMP 00000001706b4901 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000751178d2 5 bytes JMP 00000001706b4a31 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000075298f8d 5 bytes JMP 00000001706b1a19 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007529c436 5 bytes JMP 00000001706b3b59 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007529eca6 5 bytes JMP 00000001706b3601 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 000000007529f206 5 bytes JMP 00000001706b2399 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 000000007529fa89 5 bytes JMP 00000001706b1e41 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007529fbb7 5 bytes JMP 00000001706b60c1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 00000000752a1358 5 bytes JMP 00000001706b3ac1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000752a137f 5 bytes JMP 00000001706b3a29 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000752a1d29 5 bytes JMP 00000001706b1981 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 00000000752a1e15 5 bytes JMP 00000001706b24c9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000752a2ab1 5 bytes JMP 00000001706b57d9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000752a2cd9 5 bytes JMP 00000001706b5741 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000752a2d17 5 bytes JMP 00000001706b5871 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 00000000752a2e7a 5 bytes JMP 00000001706b18e9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 00000000752a3b70 5 bytes JMP 00000001706b2269 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!Sleep 00000000752a4496 5 bytes JMP 00000001706b2431 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 00000000752a4608 5 bytes JMP 00000001706b3569 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 00000000752a4631 5 bytes JMP 00000001706b2c81 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 00000000752ac734 5 bytes JMP 00000001706b27c1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000076abc9ec 5 bytes JMP 00000001706b3c89 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076ac2b70 5 bytes JMP 00000001706b3bf1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000076ac361c 5 bytes JMP 00000001706b40b1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076ac4965 5 bytes JMP 00000001706b6b71 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076ad70c4 5 bytes JMP 00000001706b4311 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000076ad70dc 5 bytes JMP 00000001706b3e51 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000076ad70f4 5 bytes JMP 00000001706b3ee9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000076af31f4 5 bytes JMP 00000001706b3f81 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076af3204 5 bytes JMP 00000001706b4019 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076af3214 5 bytes JMP 00000001706b3d21 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076af3224 5 bytes JMP 00000001706b3db9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076af3264 5 bytes JMP 00000001706b4279 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076d7a472 5 bytes JMP 00000001706b6c09 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076d827ce 5 bytes JMP 00000001706b1be1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076d8e6cf 5 bytes JMP 00000001706b1b49 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000756c78e2 5 bytes JMP 00000001706b4441 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000756c7bd3 5 bytes JMP 00000001706b43a9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756c8a29 5 bytes JMP 00000001706b4f89 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000756c98fd 5 bytes JMP 00000001706b5a39 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000756cb6ed 5 bytes JMP 00000001706b6ca1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000756cd22e 5 bytes JMP 00000001706b5021 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756cee09 5 bytes JMP 00000001706b34d1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000756cffe6 5 bytes JMP 00000001706b5909 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000756d00d9 5 bytes JMP 00000001706b59a1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000756d05ba 5 bytes JMP 00000001706b4571 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000756d0dfb 5 bytes JMP 00000001706b50b9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756d12a5 5 bytes JMP 00000001706b6ad9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000756d20ec 5 bytes JMP 00000001706b5449 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756d3baa 5 bytes JMP 00000001706b6a41 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000756d5f74 5 bytes JMP 00000001706b44d9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000756d6285 5 bytes JMP 00000001706b4bf9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756d7603 5 bytes JMP 00000001706b2be9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000756d7aee 5 bytes JMP 00000001706b53b1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756d835c 5 bytes JMP 00000001706b2b51 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000756ece54 5 bytes JMP 00000001706b51e9 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756ef52b 5 bytes JMP 00000001706b4c91 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000756ef588 5 bytes JMP 00000001706b5ad1 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000756f10a0 5 bytes JMP 00000001706b5151 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007571fcd6 2 bytes JMP 00000001706b5281 .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3 000000007571fcd9 2 bytes [F9, FA] .text C:\Users\Ziggy\Desktop\m57g1hli.exe[3680] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007571fcfa 5 bytes JMP 00000001706b5319 ---- Devices - GMER 2.1 ---- Device \FileSystem\MBAMWebAccessControl \Device\StreamEitor fffff8800bd0f5ac Device \FileSystem\MBAMSwissArmy \Device\MBAMSwissArmy fffff8800bd03104 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@CriticalSectionTimeout 2592000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@GlobalFlag 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitFreeBlockThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapDeCommitTotalFreeThreshold 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentCommit 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@HeapSegmentReserve 0 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProcessorControl 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ResourceTimeoutCount 648000 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@BootExecute autocheck autochk *?SmartDefragBootTime.exe? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ExcludeFromKnownDlls Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ObjectDirectories \Windows?\RPC Control? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@ProtectionMode 1 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@NumberOfInitialSessions 2 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@SetupExecute ---- Files - GMER 2.1 ---- File C:\Windows\Temp\~bdEB21.tmp 0 bytes ---- EOF - GMER 2.1 ----